BTW, here is the link to Ivan's presentation about WAF evasion techniques — http://www.slideshare.net/d0znpp/lie-tomephd2013. Lots of them are still valid for old-fashioned security vendors