WAF: Exclude all cookies from managed rule group

Question

Hi there,

I'd like to prevent cookies from triggering rules in the [AWS-managed SQL Injection rule set](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-sql-db). By default, the ruleset seems to scan query parameters, body, and cookies, but cookies regularly contain URL-encoded strings and semicolons that cause tons of false-positives. For example, this request is blocked:

```
curl -H 'cookie: id=%22test%22;' https://example.com
```

Is there a way to make the WAF ignore cookies?

I've tried setting the rule action for "SQLi_COOKIE" to "allow", but it didn't work, requests are still blocked.

Answer

I was able to workaround the issue by using the "custom response" logic described here: https://repost.aws/knowledge-center/waf-managed-rules

Instead of blocking requests tagged with any tag in the whole "namespace" of all SQL injection rules (`awswaf:managed:aws:sql-database`), I configured it to only match on the body (`awswaf:managed:aws:sql-database:SQLi_Body`).

But this is a hack since the cookies are still scanned for SQL injection. I'd like to avoid scanning cookies all together, like ModSecurity's [UpdateTargetById](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secruleupdatetargetbyid)

Answer

To prevent cookies from triggering rules in the AWS-managed SQL Injection rule set:

Identify the SQLi_COOKIE rule that is blocking requests containing cookies.

Edit the rule and set the action to ALLOW for that specific rule.

Save the changes to the rule group.

Setting the action to ALLOW for just the SQLi_COOKIE rule should allow requests containing cookies to pass, while still blocking for other rules like SQLi_BODY or SQLi_HEADER.

WAF: Exclude all cookies from managed rule group

Relevant content