How do I upload files that are blocked by AWS WAF?

Last updated: 2022-07-27

I need to upload (POST) a file that uses an extension that's blocked by AWS WAF. How do I upload files that are blocked by AWS WAF?

Short description

Consider the following to understand why a POST request is blocked by AWS WAF:

  • AWS WAF BODY filters inspect only the first 8,192 bytes of the payload of a POST request for malicious scripts.
  • The SQLinjection and Cross Site Scripting (XSS) rules are sensitive to files that contain random characters in their metadata. These random characters can initiate web ACL rules due to their similarity to an actual XSS or SQLinjection signature in AWS WAF.

Filtering for specific file types isn't supported by AWS WAF. You must use other methods to eliminate false positives caused by uploading files or images.

First, review for common rules that block file uploads. If a common rule isn't blocking the upload, consider additional options for allowing blocked files.

The following common rules block file uploads:

  • CrossSiteScripting_BODY
  • SQLi_BODY
  • WindowsShellCommands_BODY
  • GenericLFI_BODY
  • SizeRestrictions_BODY

Resolution

File uploads blocked by SQLi_BODY and CrossSiteScripting_BODY rules

Check the terminatingRuleMatchDetails field in the AWS WAF comprehensive logs for the rule information. To turn on AWS WAF logging, see How do I turn on AWS WAF logging and send logs to CloudWatch, Amazon S3, or Kinesis Data Firehose?
Note: The terminatingRuleMatchDetails field populates only for SQLi_BODY and CrossSiteScripting_BODY attacks.

The following is an example of matchedData for CrossSiteScripting_BODY:

{
    "conditionType": "XSS",
    "location": "BODY",
    "matchedData": [
        "<?",
    "`"
    ]

The following is an example of matchedData for SQLi_BODY:

"terminatingRuleMatchDetails":
[
      {
         "conditionType":"SQL_INJECTION",
    "location":"BODY",
         "matchedData":[
            ")",
            "*",  
    "(",
            "0"
         ]

To address blocked uploads by SQLi_BODY or CrossSiteScripting_BODY, choose one of the following options:

Option 1

Add well-known IP addresses to a safe list rule with IP Match conditions if the IP address range accessing the application is known. For instructions, see Working with IP match conditions.

Option 2

Use a safe list with a string or regex match condition to allow the request. You can create a safe list based on URI, HTTP headers, or a specific phrase associated with the Body of the files on AWS WAF.

To create a safe list based on matched data, do the following:

Add a scope-down statement to the specific AWS Managed Rule blocking your requests.

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. In the web ACL Rules tab, choose Rules.
  6. Choose Add Rules, and then choose Add my own rules and rule groups.
  7. For Name, enter a rule name, and then choose Regular Rule.
  8. For If a request, choose matches the statements.
  9. On Statement 1:
    For Inspect, choose Body.
    For Content type, choose Plain text or JSON.
    For Match type, choose Contains string.
    For String to match, enter the value you want to match to the rule.
  10. (Optional) For Text transformation, choose a Text transformation or None.
  11. For Action, choose Allow.
  12. Choose Add rule.
  13. For Set rule priority, move the rule below the AWS Managed Rule that was blocking the request.
  14. Choose Save.

Important: It’s a best practice to test rules in a non-production environment with the Action set to Count. Evaluate the rule using Amazon CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. When you're satisfied that the rule does what you want, change the Action to Allow.

File uploads blocked by WindowsShellCommands_BODY, GenericLFI_BODY, or SizeRestrictions_BODY rules

Take an HTTP Archive (HAR) file while the file is being uploaded and review it for WindowsShellCommands_BODY, GenericLFI_BODY, or SizeRestrictions_BODY rules. For instructions, see How do I create a HAR file from my browser for an AWS Support case? and follow the instructions in Create a HAR file in your browser.

To allow the false positives for WindowsShellCommands_BODY, GenericLFI_BODY, or SizeRestrictions_BODY, first set the corresponding rule to Count mode. For instructions, see Setting rule actions to count in a rule group.

Then, add a scope-down statement to the specific AWS Managed Rule blocking your requests.

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. In the web ACL Rules tab, choose Rules.
  6. Choose Add Rules, and then choose Add my own rules and rule groups.
  7. For Name, enter a rule name, and then choose Regular Rule.
  8. For If a request, choose matches all the statements (AND).
  9. On Statement 1:
    For Inspect, choose Has a label.
    For Match scope, choose Label.
    For Match key, enter the label for the rule creating the false positives. For example, enter awswaf:managed:aws:windows-os:WindowsShellCommands_Body if the WindowsShellCommands_BODY rule is creating the false positive.
  10. On Statement 2:
    Choose Negate statement results.
    For Inspect, choose URI path.
    For Match type, choose Exactly matches string.
    For String to match, enter the URI path where requests are being made.
  11. (Optional) For Text transformation, choose a Text transformation or None.
  12. For Action, choose Block.
  13. Choose Add rule.
  14. For Set rule priority, move the rule below the AWS Managed Rule that was blocking the request.
  15. Choose Save.

Important: It’s a best practice to test rules in a non-production environment with the Action set to Count. Evaluate the rule using Amazon CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. When you're satisfied that the rule does what you want, change the Action to Block.

Additional options for allowing blocked files

Note: Rules are processed in the order that they're listed in the web ACL. For the following recommendations, be sure to reorder your rule priorities as needed.

Choose the best method for your use case:

  • Apply selective exclusion with a string match rule statement (AWS WAF) or a string match condition (AWS WAF Classic). Add specific phrases associated with the BODY of the files to your safe list. If a URI has a certain path, add the path to your safe list.
  • Use a separate domain for file uploads. Be sure to consider whether this is a cost-effective option for your use case.
  • Scan (scrub) files and images of embedded code and data. You can perform this action on the client side before uploading the files. Or, if you need to create an exclusion rule, you can perform this action on the backend after uploading the files.
  • Compress files before uploading them.
    Caution: Confirm that you don't compress malicious files.
  • If the upload happens from a range of known IP addresses, add those IP addresses to your safe list.
  • Use base64 encoding. All image data is encoded, which means that AWS WAF can't initiate XSS on images.
    Caution: Be sure to avoid encoding malicious images.
  • Implement image optimization techniques, such as chunk removal or randomization of bits.

Did this article help?


Do you need billing or technical support?