Do anti-XSS rules of Web Application Firewall break business logic?

Question

I've read about Web Application Firewalls in a MOOC, and the provided example is that the WAF can filter out a request like ?user=<script to avoid potential XSS attacks.

But what if a webpage of the application allows to see a user's profile in a pretty way like view_user?name=... (instead of ID-based)? I could set my name to <script in the register form or so, and then, no one will be able to see my profile, because the page would legitimately be view_user?name=<script and the WAF rejects it?

Such username sounds odd, but it can be an advantage to have a non-accessible profile in some applications: like, in a game where you have to view the player's page [or a town's page or a character's page etc] to attack them, in a forum where you need to get to a user's page to edit/ban them, etc.

In more general terms: can you avoid side-effects of WAF rules that break business-logic? How?

Answer 1

In a general sense, WAFs are historically notorious for false positives- issuing alerts on legitimate requests when in non-blocking mode, and for edge case breakage of applications, difficult or impossible to reproduce in non-production environments, when in blocking mode.

As a result, the overall space is evolving away from signature- and granular request-specific alerting- which is really the responsibility of the application- and moving more towards reputation analysis, statistical anomaly detection, and providing pooled intelligence around the behavior of threat actors.