Why does AWS WAF block my legitimate upload request?

Short description

AWS WAF might block a POST request for one of the following reasons:

• Your file is larger than the maximum request body size that AWS WAF can inspect. AWS WAF has fixed body inspection size quotas.
• The SQL injection and cross-site scripting (XSS) rules are sensitive to files with random characters in their metadata. These random characters might invoke web access control list (web ACL) rules because of their similarity to XSS or SQL injection signatures in AWS WAF.

To resolve this issue, review the following common rules that might block file uploads:

• SQLi_BODY
• CrossSiteScripting_BODY
• WindowsShellCommands_BODY
• GenericLFI_BODY
• SizeRestrictions_BODY

If a common rule doesn't block the upload, then use a different option to allow blocked files.

Note: It's a best practice to test rules in a non-production environment with Action set to Count. To evaluate the rule, use Amazon CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. After the rule runs as you expect, change the Action to Block.

Resolution

File uploads that SQLi_BODY and CrossSiteScripting_BODY rules block

Check the terminatingRuleMatchDetails field in your AWS WAF logs for rule information.

Note: The terminatingRuleMatchDetails field populates only for SQLi_BODY and CrossSiteScripting_BODY attacks.

The following is an example of matchedData for CrossSiteScripting_BODY:

"terminatingRuleMatchDetails": [{
        "conditionType": "XSS",
       "location": "BODY",
       "matchedData": [
            "

The following is an example of matchedData for SQLi_BODY:

"terminatingRuleMatchDetails": [{
        "conditionType": "SQL_INJECTION",
       "location": "BODY",
       "matchedData": [
            ")",
            "*",
            "(",
            "0"
        ]

To address uploads that SQLi_BODY or CrossSiteScripting_BODY block, choose one of the following options.

Add well-known IP addresses to a safe list

If you know the specific range that accesses your application, then use IP match conditions to add the IP addresses to a safe list rule.

Use a safe list with a match condition

If you don't know the IP address range and want to allow the request, use a safe list with a string or regex match condition. Create a safe list based on a URI, HTTP headers, or a phrase that's associated with the body of the AWS WAF files.

Use unique identifiers in your safe list to identify legitimate requests.

To create your safe list, create a new custom rule to block XSS or SQLi vectors with an exception condition. Base the condition on the matched data of valid request attributes for upload. Override the action for the specific rules inside the managed rule groups that cause the false positive. For these rules, set SQLi_BODY and CrossSiteScripting_BODY to Count.

To create this custom rule, complete the following steps:

1. Open the AWS WAF console.
2. In the navigation pane, under AWS WAF, choose Web ACLs.
3. For Region, select the AWS Region where you created your web ACL.
   Note: If your web ACL is set up for Amazon CloudFront, then select Global.
4. Select your web ACL.
5. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
6. For Name, enter a rule name, and then choose Regular Rule.
7. For If a request, choose matches all the statements (AND).
8. Complete Statement 1 with the following fields:
   For Inspect, select Has a label.
   For Match scope, select Label.
   For Match key, enter the label for the rule that creates the false positive. For example: if the CrossSiteScripting_BODY rule creates the false positive, then enter awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body.
9. Complete Statement 2 with the following fields:
   Select the check box for Negate statement results.
   For Inspect, select Body.
   For Match type, select Contains string.
   For String to match, enter the value that you want to match to the rule.
10. (Optional) For Text transformation, choose a text transformation or choose None.
11. For Action, choose Block.
12. Choose Add rule.
13. For Set rule priority, move the rule below the managed rule group that blocks the request. This sets the managed rule label first for the rule group's inspection. AWS WAF then uses the label within the next rule priority.
14. Choose Save.

File uploads that WindowsShellCommands_BODY or GenericLFI_BODY rules block

Create an HTTP Archive (HAR) file when the file uploads. Then, review the HAR file for WindowsShellCommands_BODY or GenericLFI_BODY rules.

To allow the false positives for WindowsShellCommands_BODY or GenericLFI_BODY, complete the following steps:

1. Set the blocking rule to Count.
2. Open the AWS WAF console.
3. In the navigation pane, under AWS WAF, choose Web ACLs.
4. For Region, select the Region where you created your web ACL.
   Note: If your web ACL is set up for CloudFront, then select Global.
5. Select your web ACL.
6. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
7. For Name, enter a rule name, and then choose Regular Rule.
8. For If a request, choose matches all the statements (AND).
9. Complete Statement 1 with the following fields:
   For Inspect, select Has a label.
   For Match scope, select Label.
   For Match key, enter the label for the rule that creates the false positive. For example: if the WindowsShellCommands_BODY rule creates the false positive, then enter awswaf:managed:aws:windows-os:WindowsShellCommands_Body.
10. Complete Statement 2 with the following fields:
    Select the check box for Negate statement results.
    For Inspect, select URI path.
    For Match type, select Exactly matches string.
    For String to match, enter the URI path where requests are being made.
11. (Optional) For text transformation, choose a text transformation, or choose None.
12. For Action, choose Block.
13. Choose Add rule.
14. For Set rule priority, update the rule priority so that it's after the managed rule that blocked the request.
15. Choose Save.

File uploads that SizeRestrictions_BODY rule blocks

SizeRestrictions_BODY inspects for request bodies that are over 8 KB (8,192 bytes) and blocks the request if the request body is greater than 8 KB.

For web traffic that includes bodies that are larger than the quota, complete the following steps:

1. Set the SizeRestrictions_BODY rule to Count.
2. Open the AWS WAF console.
3. In the navigation pane, under AWS WAF, choose Web ACLs.
4. For Region, select the Region where you created your web ACL.
   Note: If your web ACL is set up for CloudFront, then select Global.
5. Select your web ACL.
6. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
7. For Name, enter a rule name, and then choose Regular Rule.
8. For If a request, choose matches all the statements (AND).
9. Complete Statement 1 with the following fields:
   For Inspect, select Has a label.
   For Match scope, select Label.
   For Match key, enter the label awswaf:managed:aws:core-rule-set:SizeRestrictions_Body for the SizeRestrictions_BODY rule.
10. Complete Statement 2 with the following fields:
    For Inspect, select Body.
    For Match type, choose Size greater than.
    For Size, type a number that's larger than the limit (8KB) e.g 20480 Bytes (20 KB).
    For Oversize handling, select Continue.
11. (Optional) For text transformation, choose a text transformation, or choose None.
12. For Action, choose Block.
13. Choose Add rule.
14. For Set rule priority, update the rule priority so it's after the managed rule that blocked the request.
15. Choose Save.

Additional options to allow blocked files

Note: Rules process in the order that you list them in the web ACL. AWS WAF prioritizes lower priority numbers. For example, if you set the rule priority to 1, then AWS WAF prioritizes this rule before a rule with a priority number 3. For the following best practices, reorder your rule priorities as needed.

Choose the best method for your use case:

• Apply selective exclusion with a string match rule statement (AWS WAF) or a string match condition (AWS WAF Classic). Add specific phrases that are associated with the body of the files to your safe list. For example: If false positives occur on a specific URI path, then add the path to your safe list.
• Use a separate domain for file uploads. Verify if this is a cost-effective option for your use case.
• Scan (scrub) files and images for embedded code and data. You can perform this action on the client side before you upload the files. Or, if you create an exclusion rule, then you can perform this action on the back end after you upload the files.
• Compress files before you upload them.
  Note: Make sure that you don't compress malicious files.
• Use base64 encoding to encode all image data so that AWS WAF doesn't invoke XSS or SQLi on images.
  Note: Make sure you don't encode malicious images.
• Implement image optimization techniques, such as chunk removal or bit randomization.