Stefen posted his slides on “Shocking News in PHP Exploitation”. Besides talking about PHP vulnerabilities, stefen has discussed some great attack vectors for bypassing Mod-security, php-ids and WAFs.
Here is a good example, from his slides, on how mod-security can be bypassed:
Rules apply all transformation functions first
• t:none – reset
• t:urlDecodeUni – url decoding with unicode support
• t:htmlEntityDecode – decodes HTML entities
• t:replaceComments – removes all comments
• t:compressWhitespace – compresses whitespace