It doesn’t use mysaql under the covers, it’s just that AWS WAF doesn’t know about this syntax so it doesn’t filter for it.
Singling out AWS WAF is a bit awkward. I’m sure there are other products that don’t protect against this. WAF in general is a mess, the entire philosophy is broken and it’s at best a speed bump. I don’t know why the industry allowed the moniker.
Yep right you are.
Agreed though - I think Akamai thinks URLs containing an = are suspicious, even if the URL looks nothing like SQL and very much like a path to a .jpg file.
Another good use case is hardening web applications that you aren't licensed to modify, or otherwise can't secure in a way that's internal to the app. (That could be due to limited time, too much complexity, inaccessible source code, or missing domain knowledge, maybe.)
Using a SaaS WAF for greenfield development always seemed to me like... I guess you'd say an "architecture smell" as opposed to code smell. More nodes in a network graph are worth avoiding if you can consolidate without losing functionality, velocity, etc.
Using WAF to get defense in depth starts making sense to me only when the paranoia level is sufficiently high and you're out of relatively effective ways to harden the other layers further.
Singling out AWS WAF is a bit awkward. I’m sure there are other products that don’t protect against this. WAF in general is a mess, the entire philosophy is broken and it’s at best a speed bump. I don’t know why the industry allowed the moniker.