How do I explicitly allow file uploads that an AWS WAF rule blocks without excluding the rule?

5 minute read
0

I want to allow users to upload files using specific file extensions without having to block the current AWS WAF configuration rule.

Short description

HTTP file upload content is commonly one of the following types:

  • Form-data: Data that's sent from website forms to APIs as part of a multipart form-data.
  • Binary-data: A file that's anything other than a text payload. The binary file can be a JPEG file, a GZip file, or a PDF file.

To find out why AWS WAF blocks a POST request, review the common rules that block file uploads. If a common rule isn't blocking the upload, then review the additional options for allowing blocked files.

The following rules commonly block file uploads:

  • CrossSiteScripting_BODY
  • SQLi_BODY
  • SizeRestrictions_BODY
  • Custom rules that evaluate the request BODY

Resolution

Determine which rule blocks the file uploads

Complete the following steps to determine which rule blocks the file upload:

1.    Open the AWS WAF console.

2.    Review the sampled web requests. The sampled requests contain both information on the rule that blocks the request and the HTTP request components.

3.    On the Overview page, under Rule inside rule group, find the HTTP request components. The components look similar to the following examples:

Rule inside rule group

awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body

Request

`POST /upload`  
`User-Agent: PostmanRuntime/7.30.0 Accept: */* Host: example.amazonaws.com Connection: keep-alive Content-Type: multipart/form-data; boundary=--------------------------421232031360350156757252 Content-Length: 4060737 `

4.    Review the AWS WAF comprehensive logs for terminatingRuleMatchDetails.

Note: The terminatingRuleMatchDetails field populates only for SQLi_BODY and CrossSiteScripting_BODY attacks.

Identify the content type of the POST data

To identify the content type, review the HTTP header in your POST data for content-type. In the previous example, the content type is multipart/form-data.

Form-data content 

For form-data content that has multipart/form-data for the header value, complete the following steps:

1.    Open the AWS WAF console.

2.    In the navigation pane, under AWS WAF, choose Web ACLs.
Note: The default selection for Region is US East (N. Virginia). Choose the AWS Region where you created your web ACL. Choose Global if your web ACL is set up for Amazon CloudFront.

3.    Choose your Web ACL.

4.    On the Rules tab, choose Add Rules, and then choose Add my own rules and rule groups.

5.    On the Add rule screen, under Rule Type, choose Rule builder.
For Name, enter a name to identify this rule.
For Type, choose Regular rule.
For If a request, choose matches the statement.
For Inspect, choose Body.
For Content type, choose JSON.
For JSON match scope, choose Values.
For How AWS WAF should handle the request if the JSON in the request body is invalid, choose the option appropriate for you.
For Content to inspect, choose Full JSON content.
For Match type, choose Matches regular expression.
For Regular expression, paste the following sample regex-pattern:

(?:.pdf|.doc|.docx|.ppt)

(Optional) For Text transformation, choose either a text transformation or None. For more information, see Text transformations.
For Oversize Handling, choose the option appropriate for your configuration. For more information, see Handling oversize web request components in AWS WAF.
For Action, choose Allow. For more information, see Rule action.

6.    Choose Add Rule.

7.    For Set Rule Priority, select your rule and move it to a higher priority than the rule that blocks the request. AWS WAF evaluates the rules according to the priority that's set. For more information, see Processing order of rules and rule groups in a web ACL.

8.    Choose Save. Make sure that the rules works as expected.

Binary-data content

For binary-data content that has a value similar to application/pdf or application/ppt for the header value, complete the following steps:

1.    Open the AWS WAF console.

2.    In the navigation pane, under AWS WAF, choose Web ACLs.
Note: The default selection for Region is US East (N. Virginia). Choose the AWS Region where you created your web ACL. Choose Global if your web ACL is set up for Amazon CloudFront.

3.    Choose your Web ACL.

4.    On the Rules tab, choose Add Rules, and then choose Add my own rules and rule groups.

5.    On the Add rule screen, under Rule Type, choose Rule builder.
For Name, enter a name to identify the rule.
For Type, choose Regular rule.
For If a request, choose matches the statement.
For Inspect, choose Single header.
For Header field name, enter Content-Type.
For Match type, choose Matches regular expression.
For Regular expression, paste the following sample regex-pattern:

(?:pdf|jpeg)

(Optional) For Text transformation, choose either a Text transformation or None. For more information, see Text transformations.
For Action, choose Allow. For more information, see Rule action.

6.    Choose Add Rule.

7.    For Set Rule Priority, select your rule and move it to a higher priority than the rule that blocks the request. AWS WAF evaluates the rules according to the priority that's set. For more information, see Processing order of rules and rule groups in a web ACL.

8.    Choose Save. Make sure that the rule works as expected.

Note: To restrict the rule for a specific upload URI path, use an AND statement inside the Web ACL rule.

Related information

How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Kinesis Data Firehose?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
2 Comments

I cannot get this to work for image uploads. This is the multipart/form-data being submitted and it doesn't look like json at all. Image upload is failing and I've had to disable the CrossSiteScripting_BODY rule -

------WebKitFormBoundaryTJriLfD8P9chsSY9 Content-Disposition: form-data; name="image"; filename="Screenshot 2024-01-07 at 12.41.34 AM.png" Content-Type: image/png

------WebKitFormBoundaryTJriLfD8P9chsSY9--

replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 5 months ago