How do I upload files that are blocked by AWS WAF?

Short description

To understand why AWS WAF might block a POST request, note the following points:

• AWS WAF _BODY managed rules inspect only the request body up to the body size limit for the web access control list (ACL). The limit is 8 KB for Regional web ACLs and 16 KB for Amazon CloudFront web ACLs. For CloudFront web ACLs, you can increase the limit up to 64 KB in your web ACL configuration.
• The SQL injection and cross-site scripting (XSS) rules are sensitive to files with random characters in their metadata. These random characters might invoke web ACL rules because of their similarity to an actual XSS or SQL injection signature in AWS WAF.

First, review the common rules that might block file uploads. If a common rule doesn't block the upload, then consider additional options to allow blocked files.
The following rules commonly block file uploads:

• CrossSiteScripting_BODY
• SQLi_BODY
• WindowsShellCommands_BODY
• GenericLFI_BODY
• SizeRestrictions_BODY

Resolution

File uploads blocked by SQLi_BODY and CrossSiteScripting_BODY rules

Check the terminatingRuleMatchDetails field in the AWS WAF comprehensive logs for the rule information.

Note: The terminatingRuleMatchDetails field populates only for SQLi_BODY and CrossSiteScripting_BODY attacks.

The following is an example of matchedData for CrossSiteScripting_BODY:

"terminatingRuleMatchDetails": [{
        "conditionType": "XSS",
        "location": "BODY",
        "matchedData": [
            "<?",
            "`"
        ]

The following is an example of matchedData for SQLi_BODY:

"terminatingRuleMatchDetails": [{
        "conditionType": "SQL_INJECTION",
        "location": "BODY",
        "matchedData": [
            ")",
            "*",
            "(",
            "0"
        ]

To address blocked uploads by SQLi_BODY or CrossSiteScripting_BODY, choose one of the following options:

Add well-known IP addresses to a safe list
If you know the IP address range that accesses the application, then add well-known IP addresses to a safe list rule with IP match conditions. For instructions, see Working with IP match conditions.

Use a safe list with a match condition
Use a safe list with a string or regular expression (regex) match condition to allow the request. You can create a safe list based on a URI, HTTP headers, or a phrase that's associated with the BODY of the AWS WAF files.

To create your safe list, create a new custom rule. This rules blocks XSS or SQLi vectors with an exception condition that's based on the matched data of valid request attributes for upload. Be sure to override the action for the specific rules inside the managed rule groups that cause the false positive: SQLi_BODY and CrossSiteScripting_BODY.

To create this custom rule, complete the following steps:

1. Open the AWS WAF console.
2. In the navigation pane, under AWS WAF, choose Web ACLs.
3. For Region, select the AWS Region where you created your web ACL.
   Note: Select Global if your web ACL is set up for Amazon CloudFront.
4. Select your web ACL. Then, in the web ACL Rules tab, choose Rules.
5. Choose Add Rules, and then choose Add my own rules and rule groups.
6. For Name, enter a rule name, and then choose Regular Rule.
7. For If a request, choose matches all the statements (AND).
8. Complete Statement 1 with the following fields:
   For Inspect, select Has a label.
   For Match scope, select Label.
   For Match key, enter the label for the rule that creates the false positive. For example, if the CrossSiteScripting_BODY rule creates the false positive, then enter awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body.
9. Complete Statement 2 with the following fields:
   Select the check box for Negate statement results.
   For Inspect, select Body.
   For Match type, select Contains string.
   For String to match, enter the value that you want to match to the rule.
10. (Optional) For Text transformation, choose a Text transformation or None.
11. For Action, choose Block. Then, choose Add rule.
12. For Set rule priority, move the rule below the managed rule group that blocks the request. This sets the managed rule label first for the rule group's inspection, before AWS WAF uses the label within the next rule priority.
13. Choose Save.

Important: It's a best practice to test rules in a non-production environment with the Action set to Count. To evaluate the rule, use Amazon CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. When the rule does what you want, change the Action to Block.

File uploads blocked by WindowsShellCommands_BODY, GenericLFI_BODY, or SizeRestrictions_BODY rules

Take an HTTP Archive (HAR) file when the file uploads. Then, review it for WindowsShellCommands_BODY, GenericLFI_BODY, or SizeRestrictions_BODY rules. For instructions, see How do I create a HAR file from my browser for an AWS Support case?

To allow the false positives for WindowsShellCommands_BODY, GenericLFI_BODY, or SizeRestrictions_BODY, first set the corresponding rule to Count mode. For instructions, see Overriding a rule group's evaluation result to Count.

Then, create a custom rule for the specific managed rule that causes the false positive:

1. Open the AWS WAF console.
2. In the navigation pane, under AWS WAF, choose Web ACLs.
3. For Region, select the AWS Region where you created your web ACL.
   Note: Select Global if your web ACL is set up for Amazon CloudFront.
4. Select your web ACL. Then, in the web ACL Rules tab, choose Rules.
5. Choose Add Rules, and then choose Add my own rules and rule groups.
6. For Name, enter a rule name, and then choose Regular Rule.
7. For If a request, choose matches all the statements (AND).
8. Complete Statement 1 with the following fields:
   For Inspect, select Has a label.
   For Match scope, select Label.
   For Match key, enter the label for the rule that creates the false positive. For example, if the WindowsShellCommands_BODY rule creates the false positive, then enter awswaf:managed:aws:windows-os:WindowsShellCommands_Body.
9. Complete Statement 2 with the following fields:
   Select the check box for Negate statement results.
   For Inspect, select URI path.
   For Match type, select Exactly matches string.
   For String to match, enter the URI path where requests are being made.
10. (Optional) For Text transformation, choose a Text transformation or None.
11. For Action, choose Block.
12. Choose Add rule.
13. For Set rule priority, move the rule below the managed rule that blocked the request.
14. Choose Save.

Important: It's a best practice to test rules in a non-production environment with the Action set to Count. Evaluate the rule with CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. When the rule does what you want, change the Action to Block.

Additional options to allow blocked files

Note: Rules process in the same order as their list order in the web ACL. For the following recommendations, be sure to reorder your rule priorities as needed.
Choose the best method for your use case:

• Apply selective exclusion with a string match rule statement (AWS WAF) or a string match condition (AWS WAF Classic). Add specific phrases that are associated with the BODY of the files to your safe list. If false positives occur on a certain URI path, then add the path to your safe list.
• Use a separate domain for file uploads. Be sure to consider if this is a cost-effective option for your use case.
• Scan (scrub) files and images for embedded code and data. You can perform this action on the client side before you upload the files. Or, if you create an exclusion rule, then you can perform this action on the backend after uploading the files.
• Compress files before you upload them.
  Caution: Make sure that you don't compress malicious files.
• If the upload happens from a range of known IP addresses, then add those IP addresses to your safe list.
• Use base64 encoding to encode all image data so that AWS WAF doesn't invoke XSS or SQLi on images.
  Caution: Be sure to avoid encoding malicious images.
• Implement image optimization techniques, such as chunk removal or randomization of bits.