As demonstrated during an OWASP Europe 2009 presentation, WAF’s (web application firewalls) also have vulnerabilities. Sandro Gauci (founder and CSO for EnableSecurity) and Wendel Henrique (member of SpiderLabs) showed how an attacker can easily identify and bypass several well known web application firewalls using XSS (Cross site scripting) attacks, the same types of exploits WAF’s should be protecting web applications from. WAF’s can now be exploited using automated tools, to gain direct access to a web application.
As Wendel Henrique explained, a WAF can help, but securing web applications is much more important. Apart from that, implementing a WAF can cost a lot of time and money, and there is also the need to make network configuration changes. On the opposite, scanning a web application with a web vulnerability scanner such as Acunetix WVS, helps you secure your web application without the need of web security expertise, and it saves you time.
Therefore as a conclusion, we can see that although a WAF adds an extra layer of protection, one should never rely on web application firewalls only, and should always ensure that web applications are secure.
You can read more about the OWASP Europe 2009 presentation on Web Application Firewalls vulnerabilities from the following link: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=217400819&cid=RSSfeed