Fix waf body size rules in my AWS accounts

0

I was sent an email indicating I need to apply a size constraint rule or define oversize handling behavior on Body or JSON body rules for all of your AWS WAF web ACLs.

The message also mentions: To help you update Body or JSON body rules, we are developing a 1-click tool which will be available by early December.

I'm trying to find this "1-click tool" the message refers too.

Is this the one-click-tool in the documentation below? I'm reviewing this documentation here - https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-size-conditions.html

Also for Continue in the documentation, it mentions it will inspect contents that are within the size limitations. I'm under the assumption that it's AWS who automatically enforces these size limitations and it's the customer (me) who must define the way the size limitations are handled, if I'm not mistaken.

I'm also wondering is there any best practices or suggestions on what approach to take when defining options for oversize handling?

Thanks

2 Answers
0

A limitation of AWS WAF is that it won't inspect body content after the first 8KB. You can apply a rule across all your WAFs checking for body>8KB and just reporting it for a while. Then inspect which of your workloads never have to handle genuine requests >8KB, and can have that rule changed to be a "block".

If you have any remaining workloads that genuinely need to handle requests >8KB, you may be able to mitigate further if you can identify certain patterns that these request relate to, e.g.:

  • Add a top-priority rule that explicitly allows only those requests, based on URL for example.
  • Then for other requests, block them if > 8KB.
  • Inspect the remainder.

This may end up being a better solution, but as the requests matching the top-level rule become completely unscanned it may end up being worse, depending on your particular workload.

EXPERT
answered 2 years ago
0

Regarding 1-click tool which will be available by early December: All the new features are only supported in WAFv2. If there are any non-compliant WAFv2 WebACLs then customers should be able to see this in their WAF console : Enter image description here

In AWS WAF, only the first 8KB ( i.e. bytes 1 through 8,192 bytes ) of the body content is inspected. The remaining content beyond 8,192 bytes isn't inspected by default. This is a hard service limit and can't be changed. That means that any malicious payload that starts after the 8,192nd byte in a POST request will completely bypass AWS WAF unless you’ve explicitly added a rule to block any POST request greater than 8KB in size. Since inspection limit is within first 8KB, AWS relayed the decision to the customers for the way these oversized requests to be handled.

The 'Continue' as an option within the oversize handling states that: If any request is oversized against the WAF’s inspection size limit, then that oversized payload ( payload content after 8,192 bytes ) will be ignored and AWS WAF will inspect the request components that are within the size limitations ( payload content from byte 1 through 8,192 bytes ) and the rule action will take place.

For example,

  1. if you want to allow the request if the body contains ‘hello’ and you don't want the oversized contents ( after 8,192 bytes ) to be inspected, you can use ‘Continue’ as the oversize handling behavior as below:

         * Action : ALLOW
         * Statement : ByteMatch 
             * FTM : Body
             * Contains : “hello”
             * OversizeHandling : CONTINUE
    

Here, WAF inspects bytes 1 through 8,192 bytes of the body content and the rule action ‘ALLOW’ takes place if the request contains the string 'hello', even if the request content crosses the WAF size limit ( > 8,192 bytes )

For example, 2) If you want to block the request if the body contains ‘hello’ and you don't want the oversized contents ( > 8,192 bytes ) to be inspected, you can use ‘Continue’ as the oversize handling behavior as below:

        * Action : BLOCK
        * Statement : ByteMatch 
            * FTM : Body
            * Contains : “hello”
            * OversizeHandling : CONTINUE

Here, WAF inspects bytes 1 through 8,192 bytes of the body content and the rule action ‘BLOCK’ takes place if the request contains the string 'hello', even if the request content crosses the WAF size limit ( 8,192 bytes )

  1. Suppose you configure a custom rule with a request body that contains XSS injection attacks and your request body is 9,000 bytes. You can choose from the following oversize handling actions:

    Continue: AWS WAF inspects bytes 1 through 8,192 bytes of the body content for XSS attack. The remaining 8,193 through 9000 byte content isn't inspected.

    Match: AWS WAF marks this request as containing an XSS attack and takes the rule action (either ALLOW or BLOCK). It doesn’t matter whether the request body includes an XSS attack pattern or not.

    Not match: AWS WAF marks this request as not containing an XSS attack regardless of the request body content.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions