How would you approach bypassing a modern web application firewall (WAF) during a security assessment at Asapp?