|
|
|
|
|
|
by nanocode
810 days ago
|
|
|
On the other hand, WAFs are another kind of security theater. They won't stop any determined attacker. Usually you just need to change your payload to make it work. Unless you tweak the rules a lot, to the point where you could encode then in your application as well (for example "user_id" field in the POST data must consist only of decimal numbers) |
|
|
Stopping casual attackers is one talking point, but still not the real value. In my opinion, the real value is making you look less like "low-hanging fruit" to automated scans - throwing a bunch of 403's makes you less likely for a follow-up after an automated scan.
I actually have a side project when I get the time to try and prove it statistically using a honeypot. I would bet the overall volume of attacks is lower with WAF enabled, and inversely correlates with the 403's thrown. Just my 2 cents.