Without a WAF, the Application Load Balancer (ALB) lacks an essential layer of defense against common web exploits, such as SQL injection and cross-site scripting (XSS). This omission exposes the application to potential threats that could compromise sensitive data, disrupt operations, or enable unauthorized access.
An attacker sends malicious SQL queries or XSS payloads targeting a vulnerable application behind an ALB. Without a WAF, these exploits bypass any filtering and reach the application, allowing the attacker to access sensitive data, manipulate content, or escalate their attack. If a WAF with rules for SQLi and XSS prevention were in place, such requests would be detected and blocked before reaching the application.
