How does AWS WAF handle body inspections for HTTP requests?
AWS WAF inspects the first 8 KB (8,192 bytes) of the request body. This is a hard service limit and can't be changed.
- If the body is 5,000 bytes: All the content in the body can be inspected by AWS WAF.
- If the body is 8,500 bytes: Contents from bytes 1 through 8,192 bytes are inspected by AWS WAF. All content from 8,193 bytes to 8,500 bytes isn't inspected.
This limit is important when configuring rules because AWS WAF can't check the body content after 8,192 bytes. Any attack XSS or SQL injection pattern won't be detected after 8,192 bytes.
To protect against attacks on uninspected body portions, use one of the following:
AWS Managed Rules Core rule set
The SizeRestrictions_BODY rule within the AWS Managed Rules Core rule set (CRS) checks request bodies that are over 8 KB (8,192 bytes). Request bodies over 8 KB are blocked.
Custom body inspection rule
When you configure a custom body inspection rule, you can choose the oversize request handling action. This action takes effect when the request body is larger than 8,192 bytes.
For example, you configure a custom rule with a request body that contains XSS injection attacks and your request body is 9,000 bytes. You can choose from the following oversize handling actions:
- Continue: AWS WAF inspects bytes 1 through 8,192 bytes of the body content for XSS attack. The remaining 8,193 through 9000 byte content isn't inspected.
- Match: AWS WAF marks this request as containing an XSS attack and takes the rule action (either ALLOW or BLOCK). It doesn’t matter whether the request body includes an XSS attack pattern or not.
- Not match: AWS WAF marks this request as not containing an XSS attack regardless of the request body content.
When using the AWS Managed Core rule set, legitimate requests with a body size larger than 8,192 bytes might be blocked by the SizeRestrictions_BODY rule. You can create an allow rule to explicitly allow the request.
For example, if a customer has a legitimate request from the URL “/upload”, you can configure the rules as follows:
1. In your web ACL, override the SizeRestrictions action to count from the rule group.
2. Add a label matching rule to your web ACL after the Core rule set. Use the following logic in the rule:
Has a label “awswaf:managed:aws:core-rule-set:SizeRestrictions_Body”
NOT (URL path contains “/upload”)
Using the preceding configuration, requests with the URL " /upload" that have a body size larger than 8,192 bytes are allowed. Any requests that aren't from this URL are blocked.
Oversize handling for request components