Forum Discussion

tbriot's avatar
tbriot
Icon for Altocumulus rankAltocumulus
Sep 18, 2019

AWS F5 Managed WAF rules not blocking simple SQL injection

We have subscribed to the "F5 Rules for AWS WAF - API Security Rules". Product page: https://aws.amazon.com/marketplace/pp/B07M948X2H.

A Web ACL has been created in our AWS account using this group of rules. It has been then associated to an API published on the Amazon API Gateway.

For some reason, even basic SQL injection are not blocked. For instance, a request with a url-encoded string like ' OR '1'='1 (see https://en.wikipedia.org/wiki/SQL_injection) in querystring is not blocked.

Switching to a group of rules managed by a competitor (Fortinet) resolved our problem. We are surprised the F5 rules are so permissive. Maybe we are missing something. Any thoughts ? Thank you.

 

Related question: https://devcentral.f5.com/s/feed/0D51T00006i7iONSAY

  • I spoke with our (F5) technical support team, and the consensus is that there are established channels for AWS Support to contact and work with F5 Support to resolve issues such as yours. The recommendation is for you to contact AWS Support again and ask to have your issue escalated. The escalation process should drive the necessary communication between AWS and F5. Please let me know how this goes for you.

  • Is it possible your F5 RuleGroups were not configured to block but rather to just count violations? Per K21015971:

     

    Configuring RuleGroups

    You configure a RuleGroup with one of two Action values: Block or Count. When a RuleGroup Action is set to Block, it blocks traffic, and when it is set to Count, the following behaviors occur:

    • Traffic is allowed to pass through AWS WAF, even when the traffic matches the conditions of a rule.
    • Traffic that matches the conditions of a RuleGroup generate CloudWatch metrics, which you can use for troubleshooting.

     

  • K21015971 indicates you must contact AWS support on AWS WAF issues such as this. I recommend that as your best starting point, and trust they will be able to help you.

    • tbriot's avatar
      tbriot
      Icon for Altocumulus rankAltocumulus

      Thank you. We will contact the AWS support.

      • tbriot's avatar
        tbriot
        Icon for Altocumulus rankAltocumulus

        AWS support advised us to contact the F5 Support. According to them the issue is coming fromt F5's rules. To be honest, it makes a lot of sense.

        Can we have any support please ?

         

        -------------------------------------------------

        Here is the response from AWS:

         

        "I am really surprised that both these F5 Rules are not blocking a basic SQLi attack. However, I am glad that you have conducted this vulnerability assessment before deploying the managed rules in production. If the managed rules have not passed the vulnerability assessment, I would recommend not using them in production.

         

        Just as an additional check of the SQLi query string, I conducted a simulation of the SQLi attack using the AWS WAF Security Automations template [1][2]. This is a solution that automatically deploys a WAF solution with preconfigured rules for the most common attacks.

         

        Using the same query string that you provided me, the SQLi attack was also blocked by the automatically generated AWS WAF rules. This collaborates your observation that the Fortinet Managed Rules for AWS WAF - API Gateway is also able to block the SQLi attack.

         

        Given that the other two solution are able to block the same attack while the F5 Rules are not able to block the attack, I can only conclude that there is a something wrong with the F5 Rules, and I would recommend contacting F5 support with this information and request that they investigate both of these rules. If I had some visibility into the F5 rules, I would have done some further investigation, however, the rules are protected and only F5 can see what each rule in the rulegroup is doing.

         

        I hope that this information has been helpful and I wish I could investigate the F5 rules further, however, these are 3rd party managed rules that I do not have access to investigate.

         

        If you have any queries or require further information, please do not hesitate to contact me and I will be very happy to assist you.

         

        Have a pleasant day.

         

        References:

         

        [1] AWS WAF Security Automations - https://aws.amazon.com/solutions/aws-waf-security-automations/

        [2] Automated Deployment - https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/deployment.html "

  • I am checking to see how best to connect you with the appropriate support mechanisms. I should have an answer shortly.

  • We have reopened the case on the AWS side, mentioning the escalation process you are refering to. Wait and see...

    • crodriguez's avatar
      crodriguez
      Ret. Employee

      Were you able to get your issue resolved? A couple of us here at F5 are curious.

  • Any luck? I am exploring the AWS WAF F5 managed rules and am curious to see how the 'shared support model' is working out for customers.

    • crodriguez's avatar
      crodriguez
      Ret. Employee

      Good question, Jeff. Were you able to get your issue resolved, tbriot?

      • tbriot's avatar
        tbriot
        Icon for Altocumulus rankAltocumulus

        My issue is still not resolved. A lot of back-and-forth between F5 and AWS support teams. Now the ball is in AWS Support's court.

        It's been a month now since we first contacted both support teams. Since we had to move fast, we switched to a competitor... which rules for AWS WAF are working fine for us.