Waffle-y Order is a medium-difficulty Web challenge from HackTheBox, involving the exploitation of parser differential vulnerabilities to bypass a regex-based WAF and chain a PHP Object Injection with a Blind XXE to read arbitrary files and exfiltrate data.