kay, so most of you who have hacked a bit sure have noticed that sometimes you get 406 not acceptable... that means they got a filter that looks for hack attepts, this can be done in a php script, packet sniffer, apache, everywhere...

anyway, the trick to bypass these is upercase-lovercase, becouse a is not the same as a...

a filter might detect words like union, select, all, 1,2,3 in a url or form post... but what about union? exactly, if the developer of the filter have not fixed so it compares after both sides have been lovercased or uppercased the site is still vuln..

this goes for xss,rfi,lfi,sql etc etc etc

xss;
<script>awdawdwd

rfi;
http://www

lfi;
../../../etc/passwd <- lfi is a bit tricky to bypass becouse of the ../

sql;
union all select 1 , 2 , 3 , 4

not mine tutorial
credits to original author "volume"