Hi.
I've noticed that the WAF AWSManagedRulesCommonRuleSet is BLOCKING (or COUNTING) legitimate requests because it matches the value of the Elastic Load Balancer cookie ("AWSALBTG") as a false positive matched by the rule CrossSiteScripting_COOKIE
This is an example request that I extracted from WAF cloudwatch logs (only the relevant info):
httpRequest.headers.13.name: cookie
httpRequest.headers.13.value: AWSALBTG=0naHdSsqK2TVnPXcAgo8cGqiA0X1v/4rqyWrE/OsL7eubnXAm8tJRmtFzcv5XbAmDVq6UpKw2ZY0BHcOMwuQLRh7lU3TMoHbHnA00gY2R+yG/4vtzy2meQptVHelSdfnAPR5heRTALuqaHUf/oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ=; AWSALBTGCORS=0naHdSsqK2TVnPXcAgo8cGqiA0X1v/4rqyWrE/OsL7eubnXAm8tJRmtFzcv5XbAmDVq6UpKw2ZY0BHcOMwuQLRh7lU3TMoHbHnA00gY2R+yG/4vtzy2meQptVHelSdfnAPR5heRTALuqaHUf/oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ=; AWSALB=zyyDqgOFJzOv2HVSswKA0mw8yNNjHrAyJkhe7SRNFzOJSD6jFX6+5/T8ELUvvHIYeKW0XuxPDTBTG0gZO3d2FSCohf1jHsk2mDmTkoOh7BZCQKTmtJn4X4jbDDjL; .....
nonTerminatingMatchingRules.0.action: COUNT
nonTerminatingMatchingRules.0.ruleId: AWS-AWSManagedRulesCommonRuleSet
nonTerminatingMatchingRules.0.ruleMatchDetails.0.conditionType: XSS
nonTerminatingMatchingRules.0.ruleMatchDetails.0.location: HEADER
nonTerminatingMatchingRules.0.ruleMatchDetails.0.matchedData.0: oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ
nonTerminatingMatchingRules.0.ruleMatchDetails.0.matchedData.1: ;
As you can see, the "matchedData" field contains a string ("oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ") that is inside the AWSALBTG cookie value generated by the ELB.
This means that currently we can't use WAF and ELB together because it is blocking legitimate requests because of the ELB cookie.
Am I correct or missing something? Is there any way to avoid this?
AWS OFFICIALAktualisiert vor einem Jahr
Found this cause of this: https://aws.plainenglish.io/how-to-avoid-aws-waf-xss-cookie-false-positives-5d4b1d33219a