Welcome to the WAF Workshop.
This workshop will introduce you to the core concepts of AWS WAF (also referred to as WAFV2).
AWS WAF is a web application firewall service. It helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
Using a WAF is a great way to add defense in depth to your web application. A WAF can help mitigate the risk of vulnerabilities such as SQL Injection, Cross Site Scripting and other common attacks. WAF allows you to create your own custom rules to decide whether to block or allow HTTP requests before they reach your application.
This workshop requires an AWS Account.
This workshop uses curl
to create and send HTTP requests. These are to test the WAF rules.
curl
is present on Windows Subsystem For Linux.
If you are unsure, you are recommended to use a AWS Cloud9 dev environment to complete this workshop. The Cloud9 environment contains all the tools required. The default settings when creating a Cloud9 environment are suitable for this workshop.
AWS WAF is used by attaching it to another AWS Resource: either a CloudFront distribution, Application Load Balancer, or API Gateway that is associated with your web application.
In order to test your WAF, you will need an application!
In this workshop you will use the OWASP Juice Shop. The Juice Shop is an Open Source web application that is intentionally insecure.
Pwning OWASP Juice Shop is a free book that explains the app and its vulnerabilities in more detail.
Choose a region to deploy the Sample Web App to, and follow the appropriate link from the table below.
This CloudFormation stack will take approximately 5 minutes to complete.
Region | Launch Template |
---|---|
US East (N. Virginia) (us-east-1) |
![]() |
US East (Ohio) (us-east-2) |
![]() |
US West(Oregon) (us-west-2) |
![]() |
EU (Ireland) (eu-west-1) |
![]() |
EU (London) (eu-west-2) |
![]() |
Step by step instructions:
CloudFormation will now deploy the Juice Shop application into your account. Wait until all stacks are shown in a CREATE_COMPLETE state.
JUICESHOP_URL
variable in your terminal. You will use this variable for running test requests against your WAF.JUICESHOP_URL=<Your JuiceShopUrl CloudFormation Output>
This workshop is based around a series of challenges. Each challenge will require you to understand a new concept of WAF.
Use the AWS WAF documentation to help!