Welcome to the WAF Workshop.

This workshop will introduce you to the core concepts of AWS WAF (also referred to as WAFV2).

What is AWS WAF?

AWS WAF is a web application firewall service. It helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.

Using a WAF is a great way to add defense in depth to your web application. A WAF can help mitigate the risk of vulnerabilities such as SQL Injection, Cross Site Scripting and other common attacks. WAF allows you to create your own custom rules to decide whether to block or allow HTTP requests before they reach your application.

Set Up

This workshop requires an AWS Account.

Mac and Linux OS

  • The AWS CLI may be useful, but is not mandatory
    • The AWS CLI will make it quick to deploy custom rules later in the workshop
    • Make sure the AWS CLI is updated to the latest version


This workshop uses curl to create and send HTTP requests. These are to test the WAF rules. curl is present on Windows Subsystem For Linux.

If you are unsure, you are recommended to use a AWS Cloud9 dev environment to complete this workshop. The Cloud9 environment contains all the tools required. The default settings when creating a Cloud9 environment are suitable for this workshop.

The Juice Shop

AWS WAF is used by attaching it to another AWS Resource: either a CloudFront distribution, Application Load Balancer, or API Gateway that is associated with your web application.

In order to test your WAF, you will need an application!

In this workshop you will use the OWASP Juice Shop. The Juice Shop is an Open Source web application that is intentionally insecure.

Pwning OWASP Juice Shop is a free book that explains the app and its vulnerabilities in more detail.

Deploy the sample Web App

Choose a region to deploy the Sample Web App to, and follow the appropriate link from the table below.

This CloudFormation stack will take approximately 5 minutes to complete.

Region Launch Template
US East (N. Virginia) (us-east-1) Deploy WAF Workshop Sample Web App
US East (Ohio) (us-east-2) Deploy WAF Workshop Sample Web App
US West(Oregon) (us-west-2) Deploy WAF Workshop Sample Web App
EU (Ireland) (eu-west-1) Deploy WAF Workshop Sample Web App
EU (London) (eu-west-2) Deploy WAF Workshop Sample Web App

Step by step instructions:

  1. If desired, provide your stack with a unique name. Be careful not to exceed the 64-character stack name limit
  2. Click the “Next” button at the bottom of the remaining pages, using the default values.
  3. On the final page, ensure the tickboxes allowing AWS CloudFormation to create IAM resources with custom names are ticked.
  4. Click the orange “Create stack” button at the bottom-right of the page to deploy the stack into your account.

CloudFormation will now deploy the Juice Shop application into your account. Wait until all stacks are shown in a CREATE_COMPLETE state.

  1. Find the JuiceShopUrl value in the CloudFormation template output. This is the address of your Juice Shop site.
  2. Set the JUICESHOP_URL variable in your terminal. You will use this variable for running test requests against your WAF.
JUICESHOP_URL=<Your JuiceShopUrl CloudFormation Output>

This workshop is based around a series of challenges. Each challenge will require you to understand a new concept of WAF.

Use the AWS WAF documentation to help!