了解为什么 amazon waf 阻止请求
我的网络应用程序有一个接受 html 的表单。
浏览器发送带有 json 正文和以下格式的 HTTP/PUT ajax 调用:
{
"de": "",
"en": "<p>Evil Corp will process the Data that is strictly necessary\\nand reserves the right to delete or anonymize immediately any Data that\\nis not necessary.</p>\\n<p>from</p>",
"es": "",
"fr": "",
"it": ""
},
"notes": {
"de": "",
"en": "",
"es": "",
"fr": "",
"it": ""
}
}
当内容包含以下字符串时,我的 AWS WAF 出现问题:
<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>from</p>
WAF 返回 403 错误并且请求被拒绝。
如果内容包含其他字符串,我没有问题,例如:
<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>hello world</p>
两者都被认为是我的应用程序的有效内容。
WAF 配置如下:AWS Classic WAF 的“AWS WAF 的网络安全云托管规则 -HighSecurity OWASP Set-”。
我想了解:
- 阻止请求的规则是什么?
- 为什么此内容被认为是危险的?
- 我可以将我的请求转换为 AWS WAF 可接受的方式吗?
- 我可以配置 AWS WAF 以使其接受此类内容吗?
My web application has a form which accepts html.
The browser sends an HTTP/PUT ajax call with a json body and this format:
{
"de": "",
"en": "<p>Evil Corp will process the Data that is strictly necessary\\nand reserves the right to delete or anonymize immediately any Data that\\nis not necessary.</p>\\n<p>from</p>",
"es": "",
"fr": "",
"it": ""
},
"notes": {
"de": "",
"en": "",
"es": "",
"fr": "",
"it": ""
}
}
I have a problem with the AWS WAF, when the content contains the following string:
<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>from</p>
The WAF returns 403 error and the request is rejected.
I have no problem if the content contains other strings, such as:
<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>hello world</p>
Both are considered valid contents for my application.
The WAF is configured as follows: AWS Classic WAF's "Cyber Security Cloud Managed Rules for AWS WAF -HighSecurity OWASP Set-".
I'd like to understand:
- which is the rule which blocks the request?
- why is this content considered dangerous?
- can I transform my request in a way that make it acceptable for AWS WAF?
- can I configure the AWS WAF to make it accept this kind of content?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您是否在 AWS WAF WebACL 上启用了访问日志记录?
启用后,您可以在日志中获取哪个规则阻止了您的内容的信息。然后,您可以回答以下问题。
这是您的参考:
https://docs.aws.amazon.com/waf/ latest/developerguide/logging-management.html
https://docs.aws.amazon.com/waf/最新/developerguide/classic-logging.html
Have you enabled the access logging on your AWS WAF WebACL?
Once you enable it, you can get the information inside the log that which rule has blocked your content. Then, you can answer your following questions.
Here is your reference:
https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html
https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html