How does AWS WAF handle body inspections for HTTP requests?

3 minute read

Resolution

AWS WAF inspects the first 8 KB (8,192 bytes) of the request body. This is a hard service limit and can't be changed.

For example:

If the body is 5,000 bytes: All the content in the body can be inspected by AWS WAF.
If the body is 8,500 bytes: Contents from bytes 1 through 8,192 bytes are inspected by AWS WAF. All content from 8,193 bytes to 8,500 bytes isn't inspected.

This limit is important when configuring rules because AWS WAF can't check the body content after 8,192 bytes. Any attack XSS or SQL injection pattern won't be detected after 8,192 bytes.

To protect against attacks on uninspected body portions, use one of the following:

AWS Managed Rules Core rule set

The SizeRestrictions_BODY rule within the AWS Managed Rules Core rule set (CRS) checks request bodies that are over 8 KB (8,192 bytes). Request bodies over 8 KB are blocked.

Custom body inspection rule

When you configure a custom body inspection rule, you can choose the oversize request handling action. This action takes effect when the request body is larger than 8,192 bytes.

For example, you configure a custom rule with a request body that contains XSS injection attacks and your request body is 9,000 bytes. You can choose from the following oversize handling actions:

Continue: AWS WAF inspects bytes 1 through 8,192 bytes of the body content for XSS attack. The remaining 8,193 through 9000 byte content isn't inspected.
Match: AWS WAF marks this request as containing an XSS attack and takes the rule action (either ALLOW or BLOCK). It doesn’t matter whether the request body includes an XSS attack pattern or not.
Not match: AWS WAF marks this request as not containing an XSS attack regardless of the request body content.

When using the AWS Managed Core rule set, legitimate requests with a body size larger than 8,192 bytes might be blocked by the SizeRestrictions_BODY rule. You can create an allow rule to explicitly allow the request.

For example, if a customer has a legitimate request from the URL “/upload”, you can configure the rules as follows:

1. In your web ACL, override the SizeRestrictions action to count from the rule group.

2. Add a label matching rule to your web ACL after the Core rule set. Use the following logic in the rule:

Has a label “awswaf:managed:aws:core-rule-set:SizeRestrictions_Body”
AND
    NOT (URL path contains “/upload”)
Action: BLOCK

Using the preceding configuration, requests with the URL " /upload" that have a body size larger than 8,192 bytes are allowed. Any requests that aren't from this URL are blocked.

Related information

Oversize handling for request components

Topics

Security, Identity, & Compliance

Relevant content

How do I handle WAF Size Constraint rules?
rePost-User-1480947
asked 3 months ago
Need to limit AWS API gateway incoming request body size to less than 800 KB
Accepted Answer
rePost-User-6243945
asked a month ago
Oversize handling WAF
Accepted Answer
Techxonia
asked 8 months ago
How to set oversize handling WAF
Accepted Answer
rePost-User-4833446
asked 7 months ago
Fix waf body size rules in my AWS accounts
rePost-User-1480947
asked 3 months ago
How do I exclude specific URIs from XSS or SQLi inspection for HTTP requests when using AWS WAF?
AWS OFFICIALUpdated 8 months ago
How do I upload files that are blocked by AWS WAF?
AWS OFFICIALUpdated a month ago
How do I use AWS WAF to block HTTP requests that don't contain a User-Agent header?
AWS OFFICIALUpdated 8 months ago
How can AWS WAF help prevent brute force login attacks?
AWS OFFICIALUpdated 8 months ago
Why is a /24 the smallest IP range that can be used with BYOIP?
EXPERT
Brettski-AWS
published 3 months ago