My mentor at SPI, Billy Hoffman (Acidus) sent out an email challenging anyone at the company to implement Jeff Forristal's (rfp) IDS evasion techniques from 1999 into our Web Proxy tool to see if they still worked. I was bored on a Monday night and wrote some sloppy C# code to modify HTTP requests to optionally include one or more of these techniques. Notably if you used these tactics one at a time most WAFs or defenses mitigate the attack. However, I noticed if you combined these techniques you got successful bypasses.
In my research, also found that if you introduced time delays between HTTP 100 continuations you could bypass the default stateful packet inspection timeout (30 seconds) in Snort. Dan Kaminsky pointed out at BlackHat this year that if timeout settings are not synchronized on all your systems, problems will ensue. Presented my findings and research at OuterZ0ne: