Forum Discussion

a-vg-ops's avatar
a-vg-ops
Icon for Nimbostratus rankNimbostratus
Aug 25, 2022

AWS WAF ruleset OWASP_Managed rule SSRF_attempt_AllQueryArguments_Body

In our Amazon project, WAF blocks legitimate requests according to the rule_SSRF_attempt_AllQueryArguments_Body rule. How can I find out the reasons and allow traffic to pass without affecting secur...
cloud
Heath_Parrott's avatar
Heath_Parrott
Icon for Employee rankEmployee

If you export the AWS WAF logs to a log_group you can get detailed information about what happend.  Look for the terminating rule ID, you can then disable the rule within the rule group.   On the question of not impacting security, the rules are created off know good (reliable signatures) so by disabling a rule to allow traffic that matches a known good signature you will also allow bad actors that are attempting to use that signature.  You will need to ensure that your applicaition and supporting infrastructure are appropriatley hardened to mitigate the risk of allow the traffic. 

{ "ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": { "ruleId": "JavaDeserializationRCE_HEADER", "action": "BLOCK", "ruleMatchDetails": null }, "nonTerminatingMatchingRules": [ { "ruleId": "JavaDeserializationRCE_HEADER_RC_COUNT", "action": "COUNT", "ruleMatchDetails": []
a-vg-ops's avatar
a-vg-ops
Icon for Nimbostratus rankNimbostratus
Aug 26, 2022

Thank you very much for the answer. Log Output : 

{ "ruleGroupId": AWS#AWSManagedRulesBotControlRuleSet",  "terminatingRule": null,  "nonTerminatingMatchingRules": [],        "excludedRules": null, "ruleActionOverrides": null }, {"ruleGroupId": AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null,            "nonTerminatingMatchingRules": [], "excludedRules": null,  "ruleActionOverrides": null },   { "ruleGroupId": "F5#OWASP_Managed",  "terminatingRule": { "ruleId": "rule_SSRF_attempt_AllQueryArguments_Body",             "action": "BLOCK", "ruleMatchDetails": null  },  "nonTerminatingMatchingRules": [],  "excludedRules": null,             "ruleActionOverrides": null }

We cannot disable the rule, as this will affect the security of the system. What do we need to do to set up traffic flow?
We can provide the details of the http request.