How many times have you been testing out a new program on Hackerone just to see they use AWS WAF and then decide to move on to an easier target?
Low hanging fruit gatherers, like myself, can be discouraged to see a WAF protecting all the poorly coded endpoints that promise to pay off my mortgage.
When you see AWS WAF on your target, do not assume that it’s been properly configured!
The worst thing you can do as security researcher/bug bounty is assume a WAF is properly configured, but you cannot find shortfalls if the WAF if you do not know what they could possibly be.
Lets break down the AWS WAF into some parts so you have more to test.
AWS WAF comes out of the box with these default parent rules:
Each parent rule comes with its own set of child rules on what and where to block traffic.
AWS-AWSManagedRulesSQLiRuleSet
Viewing a rules associated with AWSManagedRulesSQLiRuleSet below can you tell which one is disabled?
