How to block a request with AWS WAF if values specified in its JSON body do not follow regular expressions?


The body of my request is quite simple, it has some parameters and a nested array:

  "id": "[0-9]{10}",
  "name": "[a-Z]{3-20}",
  "array": [
      "countryCode": "[A-Z]{2}"  // more keys omitted for brevity

How can I guarantee that 1/ provided regexes will be matched and 2/ no foreign keys will be included in the request body? The array length is unspecified, but it's guaranteed that it will always have at least 2 elements.

1 Answer
Accepted Answer

The request’s body inspection is designed to do regex match for the whole body or specific fields referenced by match scope, and for keys, values, or both. Usually, it is used to create rules that will inspect single elements of the JSON payload in a well-defined structure.

You can use a following regex to match the body content:

\{ "id": "[0-9]{10}", "name": "[a-Z]{3-20}", "array": \[\{ "countryCode": "[A-Z]{2}" \}, \{ "countryCode": "[A-Z]{2}" \} \] \}

This should give you an idea of how such check can be approached. In this case, one needs to be careful about key ordering and whitespaces when making the request:

  • key ordering can be ensured on your (valid) client/application side
  • whitespace management can be easily solved with WAF's Text Transformation: Compress whitespace (here you can access the list of all supported text transformations) that will replace characters such as Tab, Newline, Carriage return, and multiple spaces with one space.

This regex will also automatically guarantee that there are no other keys present in the request body.

Please also note that we offer request model validation as part of the API Gateway service, which is aiming more for API-level validation, instead of a firewall-level.

answered 3 months ago
profile pictureAWS
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions