Earlier this year my colleague has identified an application which was clearly vulnerable to Cross-Site-Scripting as special characters were not encoded.
However, he quickly learned that the application is behind a WAF as attempts to exploit XSS resulted in HTTP 403 error message.
Standard AWS WAF error message
After talking to application owners we learned that in fact application is behind an AWS WAF with Core Rule Set enabled.
Taking into account how many web applications use AWS WAF with CRS, bypassing it seemed quite challenging. However, we decided to spend some extra time attempting to do so.
#security #penetration-testing #cybersecurity #bug-bounty #aws #testing