Fuzzing and Bypassing the AWS WAF

In the blog post, Daniele Linguaglossa explores methods for bypassing the AWS Web Application Firewall (WAF) by leveraging specific DOM events, revealing a vulnerability that was promptly reported and fixed by AWS. The blog details the setup of a test environment using AWS WAF's managed rules to protect web applications from common threats like XSS and SQL injection, highlighting that these rules are not foolproof and require fine-tuning to counter advanced threats effectively. Through manual testing and the development of a custom fuzzer named "Wafer," the team automated the search for unfiltered tags and attributes, uncovering a payload exploiting the experimental onbeforetoggle event to execute arbitrary JavaScript code, thereby bypassing the WAF's defenses. This discovery underscores the importance of continuous testing and adaptation of security measures beyond out-of-the-box solutions to mitigate evolving cybersecurity threats, as demonstrated by the ability of other WAFs like F5 and ModSecurity to block such payloads effectively.