1 Answer
- Newest
- Most votes
- Most comments
0
Hi THere
When you analyze the WAF logs , you have to identify the Encoding Schemes. Based on the patterns you observe in the logs, try to identify the encoding schemes used in the malicious requests. Common encoding schemes include:
- URL encoding (e.g.,
%20
for space) - Hexadecimal encoding (e.g.,
0x20
for space) - Base64 encoding
- JSON encoding
- HTML entity encoding (e.g.,
 
for space)
Here's a common order for applying text transformations:
- Decode HTML entity encoding (if present)
- Decode URL encoding
- Decode Base64 encoding (if present)
- Decode Hex encoding (if present)
- Normalize JSON bodies (if present)
For example, if you notice that the malicious requests use URL encoding and Hex encoding, you can apply the URLDecode
and HexDecode
transformations in that order.
Are you using the AWS Managed rules for WAF? These rules are maintained by AWS and can provide protection against common attack patterns, including DDoS attacks.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago