Knight, who is Traceable’s director of security research and development, said WAFs are a “quick fix to a problem that doesn’t exist anymore. They were designed to protect legacy applications from known attacks like SQL injection or cross-site scripting (XSS). But they don’t understand the context of API calls — what data is being passed in them, where it came from and why it was sent there. And they can be bypassed with simple techniques like JSONP [JavaScript Object Notation with Padding]
https://t.co/5rALsPQsmz