Web Application Firewalls (WAF) act as a protective barrier for websites, screening all incoming traffic and filtering out any suspicious content.
WAFs analyse requests and apply a set of rules to block common web attacks such as SQL injection and cross-site scripting (XSS).
While WAFs are an essential component of web security, they are not foolproof, and determined attackers can find ways to circumvent them.
Penetration testers and red teams sometimes need to bypass WAFs to identify vulnerabilities on a target system, and bug bounty hunters may need to circumvent them to uncover high-paying bugs.
This article provides a summary of what WAFs are and why they are sometimes bypassable.
While emphasising the need to test website security comprehensively, even if a WAF is in place, the article warns that testing should only be carried out with the appropriate permissions.