- Newest
- Most votes
- Most comments
A limitation of AWS WAF is that it won't inspect body content after the first 8KB. You can apply a rule across all your WAFs checking for body>8KB and just reporting it for a while. Then inspect which of your workloads never have to handle genuine requests >8KB, and can have that rule changed to be a "block".
If you have any remaining workloads that genuinely need to handle requests >8KB, you may be able to mitigate further if you can identify certain patterns that these request relate to, e.g.:
- Add a top-priority rule that explicitly allows only those requests, based on URL for example.
- Then for other requests, block them if > 8KB.
- Inspect the remainder.
This may end up being a better solution, but as the requests matching the top-level rule become completely unscanned it may end up being worse, depending on your particular workload.
Regarding 1-click tool which will be available by early December: All the new features are only supported in WAFv2. If there are any non-compliant WAFv2 WebACLs then customers should be able to see this in their WAF console :
In AWS WAF, only the first 8KB ( i.e. bytes 1 through 8,192 bytes ) of the body content is inspected. The remaining content beyond 8,192 bytes isn't inspected by default. This is a hard service limit and can't be changed. That means that any malicious payload that starts after the 8,192nd byte in a POST request will completely bypass AWS WAF unless you’ve explicitly added a rule to block any POST request greater than 8KB in size. Since inspection limit is within first 8KB, AWS relayed the decision to the customers for the way these oversized requests to be handled.
The 'Continue' as an option within the oversize handling states that: If any request is oversized against the WAF’s inspection size limit, then that oversized payload ( payload content after 8,192 bytes ) will be ignored and AWS WAF will inspect the request components that are within the size limitations ( payload content from byte 1 through 8,192 bytes ) and the rule action will take place.
For example,
-
if you want to allow the request if the body contains ‘hello’ and you don't want the oversized contents ( after 8,192 bytes ) to be inspected, you can use ‘Continue’ as the oversize handling behavior as below:
* Action : ALLOW * Statement : ByteMatch * FTM : Body * Contains : “hello” * OversizeHandling : CONTINUE
Here, WAF inspects bytes 1 through 8,192 bytes of the body content and the rule action ‘ALLOW’ takes place if the request contains the string 'hello', even if the request content crosses the WAF size limit ( > 8,192 bytes )
For example, 2) If you want to block the request if the body contains ‘hello’ and you don't want the oversized contents ( > 8,192 bytes ) to be inspected, you can use ‘Continue’ as the oversize handling behavior as below:
* Action : BLOCK
* Statement : ByteMatch
* FTM : Body
* Contains : “hello”
* OversizeHandling : CONTINUE
Here, WAF inspects bytes 1 through 8,192 bytes of the body content and the rule action ‘BLOCK’ takes place if the request contains the string 'hello', even if the request content crosses the WAF size limit ( 8,192 bytes )
-
Suppose you configure a custom rule with a request body that contains XSS injection attacks and your request body is 9,000 bytes. You can choose from the following oversize handling actions:
Continue: AWS WAF inspects bytes 1 through 8,192 bytes of the body content for XSS attack. The remaining 8,193 through 9000 byte content isn't inspected.
Match: AWS WAF marks this request as containing an XSS attack and takes the rule action (either ALLOW or BLOCK). It doesn’t matter whether the request body includes an XSS attack pattern or not.
Not match: AWS WAF marks this request as not containing an XSS attack regardless of the request body content.
Relevant content
- asked 2 years ago
- asked 3 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago