AWS, Cloud Computing

4 Mins Read

Preventing Web Application from Cross-Site-Scripting using AWS WAF


AWS WAF is a web application firewall that helps you monitor web requests forwarded to Amazon CloudFront distributions or an Application Load Balancer. We can also use AWS WAF to allow or block requests based on conditions you specify, like IP addresses that requests originate from or values in the requests.

It provides additional protection against web attacks using the criteria specified. It gives protected resource responses to requests with the requested content, an HTTP 403 status code (Forbidden), or a custom response.


  • AWS Account

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Step-by-Step Guide

Step 1 – Create a Web Application

  1. Log in to your AWS Account
  2. Deploy simple application on Amazon EC2 instance, which is susceptible to the XSS attack.

Step 2 – Create Application LoadBalancer

  1. Go to the Load balancer console and click “Create Application Load balancer”.
  2. Provide the relevant information below:
  • Load Balancer Name: XSS-LoadBalancer
  • Scheme: Internet Facing
  • IP address type: IPv4
  • VPC: Same as of XSS Application
  • Mapping: Select at least two AZs
  • Security groups: Create a new one with Port 80 and 443 enabled for anywhere and add additional ports based on your application stack requirement
  • Listeners and routing: Create a target group, add your EC2 instance to that target group, and leave other options as it is.



3. Keep the rest of the option as default, and in the last click on “Create load balancer”

4. Now hit the load balancer DNS once it’s up and tested successfully. Proceed to the next section.

Step 3 – Create WAF Web ACL and Associate LoadBalancer

  1. Now go to WAF service from the AWS console to protect your application from WAF and click on “Create web ACL”
  2. Now the Describe Web ACL and associate it to AWS resources section appears and provide the Web ACL details as shown below:
  • Name: XSS-WAF
  • Description: XSS-WAF
  • CloudWatch metric name: XSS-WAF
  • Region: Same as of LoadBalancer
  • Resource Type: Regional Resources


3. Under the Associated AWS resources section, click on “Add AWS resources”.

4. And add the newly created XSS-LoadBalancer created in the previous section and the last click on Next


5. Now under Add rules and rule groups, click on” Add managed rule groups” expand the “AWS managed rule groups” section, and enable the core rule set and in last click on Add Rule, and after that in the last click on Next


6. Under the “Set rule priority” section, click Next, as we have only one rule for now.


7. In Configure metrics section, keep all the options as default, and at the bottom, click on Next


8. In the last section, review all the settings, and after that in the last click on Create Web ACL

9. When you click on a newly created web ACL, it will show you which rule it matches. It collects a lot of metrics from CloudWatch

10. Now go to LoadBalancer DNS and add the script string to check the exploit. Now you will get 403 Forbidden error because web ACL found that there is some XSS attack


11. Now go to WAF overview, and under “Sampled requests” you will get the details that you are going to execute this URI, and it detected as XSS as shown below Screenshot



You can use AWS WAF for various processes, like matching actual strings, regex patterns, SQL, etc. If you can protect your application from XSS attack using the above steps, you have successfully created the AWS WAF rule with the required inputs. It lets you monitor the HTTP and HTTPS requests forwarded to your web application resources.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding AWS WAF, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.


1. How does AWS WAF allow or block traffic?

ANS: – It forwards those received requests to AWS WAF for checking against your rules. Once a request meets a condition defined in your rules, AWS WAF actions the underlying service to allow or block the request based on the action you define.

2. Can we use WAF service to protect websites not hosted in AWS?

ANS: – Yes, we use AWS WAF service and integrate it with Amazon CloudFront. It supports custom origins outside of AWS.

3. What services are supported by AWS WAF?

ANS: – AWS WAF service can be configured on the Application Load Balancer (ALB), Amazon CloudFront, Amazon API Gateway, and AWS AppSync.

WRITTEN BY Mayank Bharawa



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!