Forum Discussion
Chisato_Horimiz
Nimbostratus
NimbostratusDetail of AWS WAF - Web Exploits Rules by F5's Rule
When we upload the Excel file, it is blocked by Web Exploits Rules by F5's Rule.
please see below WAFlog.
-----------------------------------------------------------------------
{"timestamp":1637571625959,
"formatVersion":1,
"webaclId":"9e22227d-1fba-4844-a34b-43d35b20b2ae",
"terminatingRuleId":"8b270c08-5d30-4940-a5bb-02e74c11b38f",
"terminatingRuleType":"GROUP",
"action":"BLOCK",
"terminatingRuleMatchDetails":[],
"httpSourceName":"ALB",
"httpSourceId":"XXXXXXXXX-app/XXXXXXXXServer/XXXXXXXXXXXXXXXXXXX",
"ruleGroupList":[{"ruleGroupId":"8b270c08-5d30-4940-a5bb-02e74c11b38f",
"terminatingRule":{"ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36",
"action":"BLOCK",
"ruleMatchDetails":null},
"nonTerminatingMatchingRules":[],
"excludedRules":null}],
"rateBasedRuleList":[],
"nonTerminatingMatchingRules":[],
"requestHeadersInserted":null,
"responseCodeSent":null,
"httpRequest":{"clientIp":"XX.XXX.XX.XXX",
"country":"JP",
"headers":[{"name":"host",
"value":"xxxxxxxxxxxxxxxxxxxx.com"},
{"name":"content-length",
"value":"512302"},
{"name":"sec-ch-ua",
"value":"\"Google Chrome\";v=\"95\", \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\""},
{"name":"accept",
"value":"application/json, text/javascript, */*; q=0.01"},
{"name":"content-type",
"value":"multipart/form-data; boundary=----WebKitFormBoundaryN8QBl8AUNfmYGqws"},
{"name":"x-requested-with",
"value":"XMLHttpRequest"},
{"name":"sec-ch-ua-mobile",
"value":"?0"},
{"name":"user-agent",
"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"},
{"name":"sec-ch-ua-platform",
"value":"\"Windows\""},
{"name":"origin",
"value":"https://xxxxxxxxxxxxxxxxxxxxxxxxx.com "},
{"name":"sec-fetch-site",
"value":"same-origin"},
{"name":"sec-fetch-mode",
"value":"cors"},
{"name":"sec-fetch-dest",
"value":"empty"},
{"name":"referer",
"value":"https://xxxxxxxxxxxxxxxxxxxxx.com/xxxxx/xxxxxxx/xxxxxxxxx/xxxx"},
{"name":"accept-encoding ",
"value":"gzip, deflate, br"},
{"name":"accept-language",
"value":"ja,en-US;q=0.9,en;q=0.8"},
{"name":"cookie",
"value":"JSESSIONID=04DE9DEA76FDF48733FE23D7F5029B43; MP_PORTAL_SID=xxxxxxxxxxxxxxx; AWSALBTG=xxxxxx/xxxxxxxx; AWSALBTGCORS=xxxxxxxxx"}],
"uri":"/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxx/xxxxxxxx",
"args":"",
"httpVersion":"HTTP/2.0",
"httpMethod":"POST",
"requestId":"1-619b5c29-13a199306dd99bbd6753a9c9"}}
-----------------------------------------------------------------------
then, When we add "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" to WAF as White list,
Excel file is not blocked & uploaded successfully.
so, We assume that it blocks Excel file.
what is the "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" ?
Cloud you let us know the detail of this ruleId?
Can we know what is wrong of Excle file?
thanks.
boneyardMVP
you can download a file here that lists the ID and the type of attack
https://devcentral.f5.com/s/articles/f5-rules-for-aws-waf-rule-id-to-attack-type-reference-33105
for c0ae2d87-48f1-4813-9e91-3e723f8d7b36 that is Server Side Code Injection
so there probably is something inside the excel file that looks like a server side code injection. which i can imagine for files as they can contain all kind of texts that triggers something like that.
perhaps someone from the AWS WAF team can provide more details.
Chisato_HorimizThank you for your Answer.
jason_dangHi Boneyard,
I tried to download the csv file but it's failed to open because of interruption.
Can you please help me to identify the content of ruleGroupID: 863ec017-6edf-44c1-9995-9db6eaf817f1 and ruleID: 8516ab57-0a98-425c-8710-3fef0d7352ca ?
My app is blocked by that rule. I'd like to know what content of it so that I can fix it.
Regards,
Jason
