How do I create an AWS WAF rule to prevent SQLi and XSS?

6 minute read
1

I want to prevent SQL injection (SQLi) and cross-site scripting (XSS). What options does AWS WAF provide to prevent SQLi and XSS attacks?

Short description

AWS WAF offers the following protections to prevent SQLi and XSS attacks:

  • Built-in SQLi and XSS engines
  • AWS Managed Rules available for SQLi and XSS injection attacks

To configure these protections, be sure that you have set up AWS WAF and created a web ACL.

Note: AWS WAF has limitations when inspecting body, headers, or cookies request components. For more information, see Inspection of the request body, headers, and cookies.

Resolution

Important: It’s a best practice to test rules in a non-production environment with the Action set to Count. Evaluate the rule using Amazon CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. When you're satisfied that the rule does what you want, change the Action to Block.

Use built-in SQLi and XSS engines

Attacks can be performed on different parts of the HTTP request, such as the HTTP header, query string, or URI. Configure the AWS WAF rules to inspect different parts of the HTTP request against the built-in mitigation engines.

SQLi attack rule statement

Create a SQL injection attack rule statement to inspect for malicious SQL code. To create an SQLi attack rule statement, do the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules. Select Add my own rules and rule groups from the dropdown.
  6. For Name, enter a rule name, and then choose Regular Rule.
  7. For If a request, choose matches the statement.
  8. For Inspect, select the Request components to evaluate against the SQLi built-in mitigation engine.
  9. For Match Type, select Contains SQL injection attacks from the dropdown.
  10. Choose a Text transformation.
  11. For Action, choose Block.
  12. Choose Add Rule.
  13. Choose Save.

XSS attack rule statement

Create a Cross-site scripting attack rule statement to inspect for malicious scripts in a web request component. To create an XSS attack rule statement, do the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules. Select Add my own rules and rule groups from the dropdown.
  6. For Name, enter a rule name, and then choose Regular Rule.
  7. For If a request, choose matches the statement.
  8. For Inspect, select the Request components to evaluate against the XSS built-in mitigation engine.
  9. For Match Type, select Contains XSS injection attacks from the dropdown.
  10. Choose a Text transformation.
  11. For Action, choose Block.
  12. Choose Add Rule.
  13. Choose Save.

SQLi and XSS attack rules that evaluate against multiple request components

To create an attack rule that evaluates against multiple request components, do the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules. Select Add my own rules and rule groups from the dropdown.
  6. For Name, enter a rule name, and then choose Regular Rule.
  7. For If a request, choose matches at least one of the statements (OR).
  8. For Inspect, select the Request components to evaluate against the SQLi or XSS built-in mitigation engine.
  9. For Match Type, select Contains SQLi injection attacks or Contains XSS injection attacks from the dropdown.
  10. Choose a Text transformation.
  11. Repeat steps 8 through 10 for each Statement. Choose Add another statement for additional rule evaluations.
  12. For Action, choose Block.
  13. Choose Add Rule.
  14. Choose Save.

Important: You must apply the correct text transformations for the rule to work as expected. For example, if you're inspecting a Cookie, use the following transformations associated to a cookie:

  • URL Decode
  • HTML entity decode
  • Lowercase

Use AWS Managed Rules available for SQLi and XSS injection attacks

Use AWS Managed Rules for AWS WAF to protect against application vulnerabilities or other unwanted traffic without having to write your own rules.

Note: Managed Rules are subject to version changes and expiration. For more information, see Best practices for handling managed rule group versions.

Use the SQL database managed rule group to protect against SQL injection attacks. The SQL database managed rule group (default version 1.1) has following rules that provide protection:

  • SQLiExtendedPatterns_QUERYARGUMENTS
  • SQLi_QUERYARGUMENTS
  • SQLi_Body
  • SQLi_COOKIE
  • SQLi_URIPATH

Use the Core rule set (CRS) managed rule group to protect against XSS injection attacks. The Core rule set (CRS) managed rule group (default version 1.3) has following rules that provide protection:

  • CrossSiteScripting_COOKIE
  • CrossSiteScripting_QUERYARGUMENTS
  • CrossSiteScripting_BODY
  • CrossSiteScripting_URIPATH

To add an AWS Managed Rule group to your web ACL

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules. Select Add managed rule groups from the dropdown.
  6. Expand the AWS managed rule groups section.
  7. Locate the rule group and turn on Add to web ACL.
    For example, you can turn on Add to web ACL for both SQL database for SQLi protection and Core rule set for XSS protection.
  8. (Optional) Choose Edit to view and modify the settings for the rule group.
  9. Choose Add rules.
  10. Choose Save.

To edit an existing AWS Managed Rule group in your web ACL

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Edit to view and modify the settings.
    Note: For additional information on editing settings, see Working with managed rule groups.
  6. When you have finished your edits, choose Save.

If you get false-positive scenarios with AWS Managed Rules rule groups, see AWS Managed Rules for AWS WAF.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago