We’ve had a couple of similar issues with AWS WAF recently, in one case it blocked any request body containing :// (i.e. any URL) claiming it was a file system path. In the other we had a 3rd party cookie containing `= null` and the WAF thought it was sqli. I guess I can see the argument about layering multiple imperfect defences, but we wasted hours diagnosing these, neither were real issues, so I’m not sold on the value at this point.
Many of WAF's canned rule sets are ridiculously broad. I'm content to use the low-reputation-IP rules, but almost nothing else is advisable, unless you're intent on exposing (and not fixing?) a badly-written service to the world.
The low reputation IP rules are a pain in the arse -- and I say that as someone who frequently falls foul of them. I often have to use tor to get around government blocks. The fact that Google and cloudfare hate tor users is just an extra kick in the teeth.
If your web app is vulnerable being brute forced, fix it, don't blame the users...
