How do I handle oversize HTTP requests in AWS WAF?

5 minute read
0

I want to manage the size limits when I inspect the web request body in AWS WAF.

Short description

When a web request body exceeds the body inspection size limit, the underlying host service forwards only contents that are within the limit to AWS WAF. AWS WAF doesn't detect cross-site scripting (XSS) attacks or SQL injection patterns in the web request body beyond the limit.

Note: AWS WAF doesn't log contents of the web request body whether or not it finds an attack pattern within the body inspection size limit.

To protect against attack patterns that don't appear within the body inspection size limit for oversize requests, configure a rule that blocks all oversize requests. Then, create a rule that explicitly allows legitimate oversize requests. You can either create a custom rule, or use the core rule set (CRS) managed rule group.

Resolution

Use a CRS managed rule

To use the CRS managed rule group, turn on the SizeRestrictions_Body rule to block requests that exceed 8 KB (8,192 bytes). Then, create a rule that allows legitimate requests that exceed the size limit.

Turn on the SizeRestrictions_Body rule

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web access control list (web ACL).
    Note: If you set up your web ACL for Amazon CloudFront, then select Global.
  4. Select your web ACL.
  5. Under Rules, choose Add Rules.
  6. On the dropdown list, choose Add managed rule groups.
  7. Under Add managed rule groups, choose AWS managed rule groups.
  8. Under Free rule groups, choose Core rule set.
  9. Turn on Add to web ACL, and then choose Edit.
  10. To inspect and block web request bodies that exceed 8 KB, set the SizeRestrictions_BODY rule to Block.
  11. Choose Save rule.

To reduce the occurrence of false positives, use only the SizeRestrictions_Body rule and override all other rules to Count

Create a rule that allows legitimate requests

The SizeRestrictions_Body rule might block legitimate requests that exceed 8 KB. To allow legitimate requests that exceed the size limit, set the SizeRestrictions_BODY rule to Count. Then, use the labels that AWS WAF adds for subsequent rule evaluation. 

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the Region where you created your web ACL.
    Note: If you set up your web ACL for CloudFront, then select Global.
  4. Select your web ACL.
  5. Under Rules, choose AWS-AWSManagedRulesCommonRuleSet.
  6. Choose Edit.
  7. For the SizeRestrictions_BODY rule, choose Override to Count.
  8. Choose Save rule.
  9. Under Rules, choose Add rules, and then choose Add my own rules and rule groups.
  10. For Name, enter a rule name, and then choose Regular rule.
  11. For If a request, choose matches all the statements (AND).
  12. For Statement 1, enter the following information:
    For Inspect, choose Has a label.
    For Match scope, choose Label.
    For Match key, enter the label awswaf:managed:aws:core-rule-set:SizeRestrictions_Body.
  13. For Statement 2, enter the following information:

    Choose Negate statement results.

    For Inspect, choose URI path.

    For Match type, choose Exactly matches string.

    For String to match, enter /upload.
    Note: Replace /upload with your URI path where you make requests.
  14. (Optional) For text transformation, choose a text transformation, or choose None.
  15. For Action, choose Block.
  16. Choose Add rule.
  17. For Set rule priority, update the priority so that the rule is after the CRS managed rule group. The SizeRestrictions_Body rule in the CRS can now add a label, and AWS WAF can use the label in subsequent rules.
  18. Choose Save rule.

Note: It's a best practice to test rules in a non-production environment with Action set to Count. To evaluate the rule, use Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.

Create a custom body inspection rule

Set up the oversize request handling action for the rule

When you configure a custom body inspection rule, you can choose the oversize request handling action. Oversize handling tells AWS WAF what to do with a web request when the request body exceeds the size limit. The options to handle oversize components include Continue, Match, and No match. On the AWS WAF console, you must choose one of these options. Outside the console, the default option is set to Continue. To block oversize requests, create a custom rule that uses the oversize request handling action.

Create a rule that allows legitimate requests

To allow legitimate requests that exceed the size limit, create a rule that explicitly allows requests from legitimate hosts. Then, update the rule's priority so that it's higher than the priority of the rule that blocks the request.

Related information

Why does AWS WAF block my legitimate upload request?

AWS OFFICIALUpdated 17 days ago
3 Comments

Hey in Step 6 in the second part of the instructions I think you mean for people to create a rule following the core rule set and then to select has a label. But you don't actually say to create a rule in an otherwise step by step set of instructions. I think I understand what needs to happen and I got there eventually but this post kinda confused it for a bit.

Please let me know if I'm still misunderstanding.

replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 7 months ago

Hi, agree with Ken. I'm stuck on step 6 and need help

Finally, I figure out the solution. Basically, the solution is to create a new rule that "Label" your legitimate request and then modify original CRS SizeRestrictions_Body rule to allow that label.

However, I choose a short cut that I create a new rule that Allow my legitimate request and move the rule to priority higher than CRS.

replied 2 months ago