I tried submitting a form with <script>danger</script>
and I was NOT blocked. I put WAF on my ELB and did test to make sure I have analytics (Below).
What am I doing wrong?
Here is my ACL:
Here is my XSS and SQL Rule:
Analytics: (To show that traffic is indeed routing though LB)
Best Answer
Below is one example of how to trigger a XSS rule. This ought to trigger your rule all by itself (you can prove it out by pointing it to your own PHP page or other web location), but this at least demonstrates the general principle.
This and other examples are available the following OWASP article:
Cross-site Scripting (XSS) - OWASP