WAF: Exclude all cookies from managed rule group

0

Hi there,

I'd like to prevent cookies from triggering rules in the AWS-managed SQL Injection rule set. By default, the ruleset seems to scan query parameters, body, and cookies, but cookies regularly contain URL-encoded strings and semicolons that cause tons of false-positives. For example, this request is blocked:

curl -H 'cookie: id=%22test%22;' https://example.com

Is there a way to make the WAF ignore cookies?

I've tried setting the rule action for "SQLi_COOKIE" to "allow", but it didn't work, requests are still blocked.

Mac C
已提問 5 個月前檢視次數 278 次
2 個答案
0

I was able to workaround the issue by using the "custom response" logic described here: https://repost.aws/knowledge-center/waf-managed-rules

Instead of blocking requests tagged with any tag in the whole "namespace" of all SQL injection rules (awswaf:managed:aws:sql-database), I configured it to only match on the body (awswaf:managed:aws:sql-database:SQLi_Body).

But this is a hack since the cookies are still scanned for SQL injection. I'd like to avoid scanning cookies all together, like ModSecurity's UpdateTargetById

Mac C
已回答 5 個月前
0

To prevent cookies from triggering rules in the AWS-managed SQL Injection rule set:

Identify the SQLi_COOKIE rule that is blocking requests containing cookies.

Edit the rule and set the action to ALLOW for that specific rule.

Save the changes to the rule group.

Setting the action to ALLOW for just the SQLi_COOKIE rule should allow requests containing cookies to pass, while still blocking for other rules like SQLi_BODY or SQLi_HEADER.

profile picture
專家
已回答 1 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南