This is a great deep dive into Web Application Firewalls and their limitations.
“In general, WAF is a modern security solution, and it won’t hurt having it with your web applications. Although today, it can only hinder the process of vulnerability search and exploitation, but it cannot protect from them altogether. As thing stand, this is the state of the art for quite a while. Vulnerabilities in web apps can only be fixed by correcting the code related to them, and that’s the only foolproof solution.”
Read More Here: https://habr.com/en/company/dsec/blog/454592/