I want to manage the size limits when I inspect the web request body in AWS WAF.
Short description
When a web request body exceeds the body inspection size limit, the underlying host service forwards only contents that are within the limit to AWS WAF. AWS WAF doesn't detect cross-site scripting (XSS) attacks or SQL injection patterns in the web request body beyond the limit.
Note: AWS WAF doesn't log contents of the web request body whether or not it finds an attack pattern within the body inspection size limit.
To protect against attack patterns that don't appear within the body inspection size limit for oversize requests, configure a rule that blocks all oversize requests. Then, create a rule that explicitly allows legitimate oversize requests. You can either create a custom rule, or use the core rule set (CRS) managed rule group.
Resolution
Use a CRS managed rule
To use the CRS managed rule group, turn on the SizeRestrictions_Body rule to block requests that exceed 8 KB (8,192 bytes). Then, create a rule that allows legitimate requests that exceed the size limit.
Turn on the SizeRestrictions_Body rule
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, under AWS WAF, choose Web ACLs.
- For Region, choose the AWS Region where you created your web access control list (web ACL).
Note: If you set up your web ACL for Amazon CloudFront, then select Global.
- Select your web ACL.
- Under Rules, choose Add Rules.
- On the dropdown list, choose Add managed rule groups.
- Under Add managed rule groups, choose AWS managed rule groups.
- Under Free rule groups, choose Core rule set.
- Turn on Add to web ACL, and then choose Edit.
- To inspect and block web request bodies that exceed 8 KB, set the SizeRestrictions_BODY rule to Block.
- Choose Save rule.
To reduce the occurrence of false positives, use only the SizeRestrictions_Body rule and override all other rules to Count.
Create a rule that allows legitimate requests
The SizeRestrictions_Body rule might block legitimate requests that exceed 8 KB. To allow legitimate requests that exceed the size limit, set the SizeRestrictions_BODY rule to Count. Then, use the labels that AWS WAF adds for subsequent rule evaluation.
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, under AWS WAF, choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If you set up your web ACL for CloudFront, then select Global.
- Select your web ACL.
- Under Rules, choose AWS-AWSManagedRulesCommonRuleSet.
- Choose Edit.
- For the SizeRestrictions_BODY rule, choose Override to Count.
- Choose Save rule.
- Under Rules, choose Add rules, and then choose Add my own rules and rule groups.
- For Name, enter a rule name, and then choose Regular rule.
- For If a request, choose matches all the statements (AND).
- For Statement 1, enter the following information:
For Inspect, choose Has a label.
For Match scope, choose Label.
For Match key, enter the label awswaf:managed:aws:core-rule-set:SizeRestrictions_Body.
- For Statement 2, enter the following information:
Choose Negate statement results.
For Inspect, choose URI path.
For Match type, choose Exactly matches string.
For String to match, enter /upload.
Note: Replace /upload with your URI path where you make requests.
- (Optional) For text transformation, choose a text transformation, or choose None.
- For Action, choose Block.
- Choose Add rule.
- For Set rule priority, update the priority so that the rule is after the CRS managed rule group. The SizeRestrictions_Body rule in the CRS can now add a label, and AWS WAF can use the label in subsequent rules.
- Choose Save rule.
Note: It's a best practice to test rules in a non-production environment with Action set to Count. To evaluate the rule, use Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.
Create a custom body inspection rule
Set up the oversize request handling action for the rule
When you configure a custom body inspection rule, you can choose the oversize request handling action. Oversize handling tells AWS WAF what to do with a web request when the request body exceeds the size limit. The options to handle oversize components include Continue, Match, and No match. On the AWS WAF console, you must choose one of these options. Outside the console, the default option is set to Continue. To block oversize requests, create a custom rule that uses the oversize request handling action.
Create a rule that allows legitimate requests
To allow legitimate requests that exceed the size limit, create a rule that explicitly allows requests from legitimate hosts. Then, update the rule's priority so that it's higher than the priority of the rule that blocks the request.
Related information
Why does AWS WAF block my legitimate upload request?