How do I create an AWS WAF rule to prevent SQL injection and XSS attacks?

5 minute read
1

I want to create an AWS WAF rule to prevent SQL injection and cross-site scripting (XSS) attacks.

Short description

To help prevent SQL injection and XSS attacks, use one of the following protections:

  • Built-in SQL injection and XSS engines
  • AWS Managed Rules for SQL injection and XSS injection attacks

Note: AWS WAF has maximum size inspection quotas for request bodies, headers, and cookies. For more information, see Handling of oversize request components in AWS WAF.

Resolution

Note: It's a best practice to test rules in a non-production environment with the Action set to Count. Use Amazon CloudWatch metrics on your AWS WAF logs to evaluate the rule. After you tested the rules, change the Action to Block.

Use built-in SQL injection and XSS engines

Attacks can occur on different parts of the HTTP request, such as the HTTP header, query string, or URI. To inspect different parts of the HTTP request against the built-in mitigation engines, configure your AWS WAF rules.

Create an SQL injection attack rule statement to inspect for malicious SQL code. Create an XSS attack rule statement to inspect for malicious scripts in a web request component.

Create an SQL injection or XSS attack rule statement

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web ACL.
    Note: If your web ACL is set up for Amazon CloudFront, then select Global.
  4. Select your web ACL.
  5. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
  6. To set up your rule, configure the following values:
    For Rule type, choose Rule Builder.
    For Name, enter a name for the rule.
    For Type, choose Regular rule.
    For If a Request, choose Matches the statement.
    For Inspect, select the request components that you want the rule statement to evaluate.
    For Match Type, select Contains SQL injection attacks or Contains XSS injection attacks.
    Choose a text transformation.
    For Action, choose Block.
  7. Choose Add Rule.
  8. Choose Save.

Create an SQL injection or XSS attack rule statement that evaluates against multiple request components

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the Region where you created your web ACL.
    Note: If your web ACL is set up for CloudFront, then select Global.
  4. Select your web ACL.
  5. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
  6. Add the following values to set up your rule:
    For Rule type, choose Rule Builder.
    For Name, enter a name for the rule.
    For Type, choose Regular rule.
    For If a Request, choose matches at least one of the statements (OR).
    For Inspect, select the request components that you want the rule statements to evaluate.
    For Match Type, select Contains SQL injection attacks or Contains XSS injection.
    Choose a text transformation.
  7. (Optional) To add more rule evaluations, choose Add another statement, and then configure the statement values:
    For Inspect, select the request components that you want the rule statements to evaluate.
    For Match Type, select Contains SQL injection attacks or Contains XSS injection.
    Choose a text transformation.
  8. For Action, choose Block.
  9. Choose Add Rule.
  10. Choose Save.

Note: For the rule to work, you must apply the correct text transformations. For example, if you want AWS WAF to inspect a cookie, then use URL Decode, HTML entity decode, and Lowercase.

Use AWS Managed Rules for SQL injection and XSS injection attacks

To protect against application vulnerabilities or other unwanted traffic but not write your own rules, use AWS Managed Rules for AWS WAF.

Note:

  • Managed rule group providers might update the rule group or let it expire. For more information, see Version managed rule groups.
  • Before you use a managed rule group in production, test it in a non-production environment to mitigate false positives.

Use the SQL database managed rule group to protect against SQL injection attacks. Use the core rule set (CRS) managed rule group to protect against XSS injection attacks.

Add an AWS Managed Rules rule group to your web ACL

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the Region where you created your web ACL.
    Note: If your web ACL is set up for CloudFront, then select Global.
  4. Select your web ACL.
  5. Under Rules, choose Add Rules, and then choose Add managed rule groups.
    Note: To use an existing AWS Managed Rules rule group, choose Rules, and then choose Edit. For additional information about editing settings, see Working with managed rule groups.
  6. Expand AWS managed rule groups.
  7. Locate the rule group that you want to add, and then select Add to web ACL for either SQL database or Core rule set.
  8. Choose Add rules.
  9. Choose Save.

Related information

Step 1: Set up AWS WAF

Testing and tuning your AWS WAF protections

AWS OFFICIAL
AWS OFFICIALUpdated 22 days ago