For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tbriot's avatar
tbriot
Icon for Altocumulus rankAltocumulus
Sep 18, 2019

AWS F5 Managed WAF rules not blocking simple SQL injection

We have subscribed to the "F5 Rules for AWS WAF - API Security Rules". Product page: https://aws.amazon.com/marketplace/pp/B07M948X2H. A Web ACL has been created in our AWS account using this group ...
aws
F5 Rules for AWS WAF
security
tbriot's avatar
tbriot
Icon for Altocumulus rankAltocumulus
Sep 23, 2019

Thank you. We will contact the AWS support.

tbriot's avatar
tbriot
Icon for Altocumulus rankAltocumulus
Sep 30, 2019

AWS support advised us to contact the F5 Support. According to them the issue is coming fromt F5's rules. To be honest, it makes a lot of sense.

Can we have any support please ?

 

-------------------------------------------------

Here is the response from AWS:

 

"I am really surprised that both these F5 Rules are not blocking a basic SQLi attack. However, I am glad that you have conducted this vulnerability assessment before deploying the managed rules in production. If the managed rules have not passed the vulnerability assessment, I would recommend not using them in production.

 

Just as an additional check of the SQLi query string, I conducted a simulation of the SQLi attack using the AWS WAF Security Automations template [1][2]. This is a solution that automatically deploys a WAF solution with preconfigured rules for the most common attacks.

 

Using the same query string that you provided me, the SQLi attack was also blocked by the automatically generated AWS WAF rules. This collaborates your observation that the Fortinet Managed Rules for AWS WAF - API Gateway is also able to block the SQLi attack.

 

Given that the other two solution are able to block the same attack while the F5 Rules are not able to block the attack, I can only conclude that there is a something wrong with the F5 Rules, and I would recommend contacting F5 support with this information and request that they investigate both of these rules. If I had some visibility into the F5 rules, I would have done some further investigation, however, the rules are protected and only F5 can see what each rule in the rulegroup is doing.

 

I hope that this information has been helpful and I wish I could investigate the F5 rules further, however, these are 3rd party managed rules that I do not have access to investigate.

 

If you have any queries or require further information, please do not hesitate to contact me and I will be very happy to assist you.

 

Have a pleasant day.

 

References:

 

[1] AWS WAF Security Automations - https://aws.amazon.com/solutions/aws-waf-security-automations/

[2] Automated Deployment - https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/deployment.html "