How do I upload files that are blocked by AWS WAF?
Last updated: 2021-02-22
I need to upload (POST) a file that uses an extension that's blocked by AWS WAF. How do I upload files that are blocked by AWS WAF?
Consider the following to understand why a POST request is blocked by AWS WAF:
- AWS WAF BODY filters inspect only the first 8,192 bytes of the payload of a POST request for malicious scripts.
- The SQLinjection and Cross Site Scripting (XSS) rules are sensitive to files that contain random characters in their metadata. These random characters can trigger web access control list (web ACL) rules due to their similarity to an actual XSS or SQLinjection.
Filtering for specific file types isn't supported by AWS WAF. You must use other methods to eliminate false positives caused by uploading files or images.
Note: Rules are processed in the order that they're listed in the web ACL. For the following recommendations, be sure to reorder your rule priorities as needed.
Choose the best method for your use case:
- Apply selective exclusion with a string match rule statement (AWS WAF) or a string match condition (AWS WAF Classic). Add specific phrases associated with the BODY of the files to your safe list. If a URI has a certain path, add the path to your safe list.
- Use a separate domain for file uploads. Be sure to consider whether this is a cost-effective option for your use case.
- Scan (scrub) files and images of embedded code and data. You can perform this action on the client side before uploading the files. Or, if you need to create an exclusion rule, you can perform this action on the backend after uploading the files.
- Compress files before uploading them.
Caution: Confirm that you don't compress malicious files.
- If the upload happens from a range of known IP addresses, add those IP addresses to your safe list.
- Use base64 encoding. All image data is encoded, which means that AWS WAF can't trigger XSS on images.
Caution: Be sure to avoid encoding malicious images.
- Implement image optimization techniques, such as chunk removal or randomization of bits.