The WAF Deception: 70% of Firewalls Bypassed by HTTP Parameter Pollution and JS Injection