The tweet mentions the inefficiency of WAFs for ethical hackers testing applications. It highlights the challenge of distinguishing between testing the application and the WAF. Manual bypass of most external WAFs is possible, raising concerns about their effectiveness. This emphasizes the need for WAFs to evolve to effectively address ethical hacking testing scenarios. The tweet prompts the discussion on improving WAF capabilities to support ethical hacking practices.
It would be good to see some results after all this. Atm WAFs are wasteful when it comes to ethical hackers who are trying to test the apps not the WAF. How can they distinguish? The same way they do it for a pentest company.
We can bypass most external WAFs manually but they…— Soroush Dalili (@irsdl) July 26, 2024