Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I explicitly allow file uploads that an AWS WAF rule blocks without excluding the rule?

4 minute read
0

I want to allow users to upload files using specific file extensions without having to block the current AWS WAF configuration rule.

Short description

HTTP file upload content is commonly one of the following types:

  • Form-data: Data that's sent from website forms to APIs as part of a multipart form-data.
  • Binary-data: A file that's anything other than a text payload. The binary file can be a JPEG file, a GZip file, or a PDF file.

To find out why AWS WAF blocks a POST request, review the common rules that block file uploads. If a common rule isn't blocking the upload, then review the additional options for allowing blocked files.

The following rules commonly block file uploads:

  • CrossSiteScripting_BODY
  • SQLi_BODY
  • SizeRestrictions_BODY
  • Custom rules that evaluate the request BODY

Resolution

Determine which rule blocks the file uploads

Complete the following steps:

  1. Open the AWS WAF console.

  2. View the all rules sampled requests.
    Note: The sampled requests contain both information on the rule that blocks the request and the HTTP request components.

  3. On the Overview page, under Rule inside rule group, find the HTTP request components. The components look similar to the following examples:
    Rule inside rule group

    awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body

    Request

    `POST /upload`  `User-Agent: PostmanRuntime/7.30.0 Accept: */* Host: example.amazonaws.com Connection: keep-alive Content-Type: multipart/form-data; boundary=--------------------------421232031360350156757252 Content-Length: 4060737 `

  4. Review the AWS WAF comprehensive logs for terminatingRuleMatchDetails.
    Note: The terminatingRuleMatchDetails field populates only for SQLi_BODY and CrossSiteScripting_BODY attacks.

Identify the content type of the POST data

To identify the content type, review the HTTP header in your POST data for content-type. In the previous example, the content type is multipart/form-data.

Form-data content

For form-data content that has multipart/form-data for the header value, complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF.
  3. Choose Resources & protection packs.
  4. Select your Protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose Create new rule.
  9. Choose Custom rule and select Next.
  10. For Rule Type, choose Custom rule and select Next.
  11. To set up your rule, configure the following values:
    For Action, choose Allow for custom rules.
    For Name, enter a name to identify this rule.
    For If a request, choose matches the statement.
    Then, complete the following fields for the Statement:
    For Inspect, choose JSON Body.
    For JSON match scope, choose Values.
    For Action for invalid JSON body requests, choose the option appropriate for you.
    For Content to inspect, choose Full JSON content.
    For Oversize Handling, choose the option appropriate for your configuration. For more information, see Oversize web request components in AWS WAF.
    For Match type, choose Matches regular expression.
    For Regular expression, use the following sample regex-pattern: 
    (?:.pdf|.doc|.docx|.ppt)
    (Optional) For Text transformations, choose either a text transformation or None
  12. Choose Create Rule.

Binary-data content

For binary-data content that has a value similar to application/pdf or application/ppt for the header value, complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF.
  3. Choose Resources & protection packs.
  4. Select your Protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose Create new rule.
  9. Choose Custom rule and select Next.
  10. For Rule Type, choose Custom rule and select Next.
  11. To set up your rule, configure the following values:
    For Action, choose Allow for custom rules.
    For Name, enter a name to identify the rule.
    For If a request, choose matches the statement.
    Complete the following fields for the Statement:
    For Inspect, choose Single header.
    For Header field name, enter Content-Type.
    For Match type, choose Matches regular expression.
    For Regular expression, use the following sample regex-pattern: 
    (?:pdf|jpeg)
    (Optional) For Text transformations, choose either a Text transformation or None.
  12. Choose Create Rule.

Related information

How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Firehose?

Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
AWS OFFICIALUpdated a year ago
2 Comments

I cannot get this to work for image uploads. This is the multipart/form-data being submitted and it doesn't look like json at all. Image upload is failing and I've had to disable the CrossSiteScripting_BODY rule -

------WebKitFormBoundaryTJriLfD8P9chsSY9 Content-Disposition: form-data; name="image"; filename="Screenshot 2024-01-07 at 12.41.34 AM.png" Content-Type: image/png

------WebKitFormBoundaryTJriLfD8P9chsSY9--

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR

replied 2 years ago

Relevant content