AWSManagedRulesCommonRuleSet - CrossSiteScripting_BODY - Rule triggers on MacOS installer PKG and WAF reports CORS error

Question

We have a WAF set up in front of our API that is hosted in ECS/Fargate. One of the endpoints allows to upload (POST) an installer binary for our download area.

So far Windows installers work fine, but MacOS pkg installers trigger the CrossSiteScripting_BODY rule in the AWSManagedRulesCommonRuleSet. The binary does not include JavaScript in any way. In some instances, changing the name for the binary, and therefor the payload, gets us past the rule. But for the most part we get rejected.

Another interesting point is that the WAF reports this as a CORS error.

What can we do to tweak that rule so that we can get our installers past the WAF without having to disable this rule manually each time we upload. Also, why is this reported as CORS and not a simple forbidden?

Thanks

Accepted Answer

Sorry to hear about the issues you are having. The AWS WAF CrossSiteScripting_BODY rule is sensitive to files with random characters in their metadata. The first step is to [turn on comprehensive logs](https://repost.aws/knowledge-center/waf-turn-on-logging) and look at the termindateRuleMatchDetails data.

Use the matchData field in the termindateRuleMatchDetails data to create a safe list with a match condition. There is a detailed step by step description in this [knowledge center article](https://repost.aws/knowledge-center/waf-upload-blocked-files).

Let me know if you are still having issues or if you have any other questions.

AWSManagedRulesCommonRuleSet - CrossSiteScripting_BODY - Rule triggers on MacOS installer PKG and WAF reports CORS error

Relevant content