Bypassing Web Application Firewall can be done not only by messing with its signatures. Oftentimes it is possible to fly malicious requests under the radar of security, simply by sending the data in such a way that the firewall fails to register it due to it being incorrect, but the web-application is sure to process the request correctly. More on this and other stuff at the presentation.