Firstly, thanks so much for your videos, they are very informative. Had a quick question - I frequently see some cases where SLEEP(n) works for one request, where the delay of n seconds is seen. But subsequent requests don't have that delay. Neither are the requests blocked themselves. In your experience, do WAFs have rules, which accept such requests, but have ML/AI, where it matches such a request with SLEEP with response timings, and only manipulates the response time after seeing one successful sleep attempt, by returning a generic response at some random interval for future responses? In other words, if it senses the backend is delaying, it just returns the previous response or something as is? Probably as an attempt to not overtly give away what it is blocking? When a sleep executes for the exact amount in the payload, it's hard to ignore! Not sure if any random server behind the scenes causes a sleep, but I am leaning towards some learning algorithm in WAFs that are now doing this - I did see some bounty reports as well, where people were not able to reproduce the delay due to sleep...
Never went that deep into how WAF works actually. It could be many things, sometimes the servers themselves are slow, sometimes there could be some AI/ML defenses in place, honeypot redirects, etc.
