How do I handle oversize HTTP requests in AWS WAF?

Resolution

AWS WAF has a fixed body inspection size quota that defines the maximum HTTP request body size that AWS WAF can inspect. If the contents of a body exceed the body inspection size quota, then AWS WAF reviews the body only up to the established quota. Any cross-scripting service (XSS) attack or SQL injection pattern in the body after this quota won't be detected. Also, AWS WAF doesn't send the HTTP request to your logs.

To protect against attacks on uninspected body portions for oversize requests, set up a rule that blocks all oversize requests. Then, create rules that explicitly allow legitimate oversize requests. Take one of the following actions:

• Use the AWS Managed Rules core rule set (CRS)
• Create a custom rule

Use AWS Managed Rules CRS

Turn on the AWS Managed Rules CRS

Use the SizeRestrictions_Body rule from the AWS Managed Rules CRS. This rule checks and then blocks requests with bodies that are larger than the AWS WAF body inspection size quota.

Complete the following steps:

1. Open the AWS WAF console.
2. In the navigation pane, under AWS WAF, choose Web ACLs.
3. For Region, choose the AWS Region where you created your web access control list (web ACL).
   Note: If your web ACL is set up for Amazon CloudFront, then select Global.
4. Select your web ACL.
5. Under Rules, and choose Add Rules.
6. From the dropdown list, select Add managed rule groups.
7. Under Free rule groups, select Core rule set.
   Note: CRS is a set of multiple rules managed by AWS. If you want to use only the SizeRestrictions_Body rule in the rule group, then you must override all other rules to Count or Allow. Otherwise, keep the default configuration.
8. Choose Save.

Create a rule that allows legitimate requests

The SizeRestrictions_Body rule blocks all incoming requests that exceed the body quota. As a result, the rule might block legitimate requests. To avoid this situation, set up a rule that allows legitimate requests that exceed the body inspection quota.

For example, if you receive legitimate requests from the /upload URL, then complete the following steps:

1. Open the AWS WAF console.
2. In the navigation pane, under AWS WAF, choose Web ACLs.
3. For Region, select the Region where you created your web ACL.
   Note: If your web ACL is set up for CloudFront, then select Global.
4. Select your web ACL.
5. Under SizeRestrictions, for the Action, select Count.
6. Following the Core rule set, select Has a label, and then select Label.
7. For Label, enter the awswaf:managed:aws:core-rule-set:SizeRestrictions_Body label.
8. Choose AND.
9. Create a NOT statement, and then configure the following settings:
   For Inspect, select URI path.
   For Match type, select Exactly matches String.
   For String to match, enter /upload. Note: Replace /upload with your URL.
10. For Action, choose Block.
11. For Set rule priority, update the rule priority so that it's after the managed rule group that blocks the request. This sets the managed rule label first for the rule group's inspection. AWS WAF then uses the label within the next rule priority.
12. Choose Save.

Create a custom body inspection rule

Set up the oversize request handling action for the rule

When you configure a custom body inspection rule, you can choose the oversize request handling action. This action occurs when the request body is larger than the body inspection size quota. Create a custom rule that uses the oversize request handling action to block oversize requests.

Create a rule that allows legitimate requests

If the request body size exceeds the inspection quota, then the preceding custom rule might block legitimate requests. To allow these requests, create a rule that explicitly allows requests from legitimate hosts. Then, update the priority of this rule so that it's higher than the priority of the rule that blocks the request.

Related information

Why does AWS WAF block my legitimate upload request?