AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

With AWS WAF you pay only for what you use. AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives. There are no upfront commitments.

You can deploy AWS WAF on either Amazon CloudFront as part of your CDN solution, the Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs.

Anonymous Stormtroopers


Before we dive too deep, let’s cover some basics.

How WAFs Work

A Web Application Firewall, WAF, at a fundamental level will use a set of rules to distinguish between normal requests and malicious requests and will typically operate in one of three modes:

  • Negative Model (Blacklist) uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all <script>*</script> inputs.
  • Positive Model (Whitelist) only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
  • Mixed/Hybrid Model (Inclusive Model) is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.


Testing Methodology

  • Always look out for common ports that expose that a WAF, namely 80, 443, 8000, 8008, 8080 and 8088 ports. This can be automated easily via command line tooling like cURL.
  • Different WAFs are implemented differently and therefore exhibit different behaviours. AWS WAF exhibits the following:
  • AWS WAF associates itself with separate HTTP headers, allowing for moderate fingerprinting.


Detection / Fingerprinting


AWS WAF is considered to exhibit moderate detectability, if following this simple detection methodology.

Response headers might contain:

  • AWSALB cookie field value.
  • X-AMZ-ID header.
  • X-AMZ-REQUEST-ID header.

Response page may contain:

  • Access Denied in their keyword.
  • Request token ID with length from 20 to 25 between RequestId tag.
  • Server header field contains awselb/2.0 value.


AWS Cloud SME and DevSecOps Specialist