How many times have you been testing out a new program on Hackerone just to see they use AWS WAF and then decide to move on to an easier target?
Low hanging fruit gatherers, like myself, can be discouraged to see a WAF protecting all the poorly coded endpoints that promise to pay off my mortgage.
When you see AWS WAF on your target, do not assume that it’s been properly configured!
The worst…
