False Positive on AWS WAF F5 Managed Rule F5#OWASP_Managed#rule_div_tag__behavior__Parameter__AllQueryArguments_Body

Hi there!

Unlike traditional, full blown WAF security solutions, the content of F5 rules is not visible and cannot be viewed.

We have the rule. The next step is to Get better details of the http request that was blocked. Can you paste the HTTP request that was blocked? We need more details than the info above. We will confirm whether the rule blocked a true malicious request or not. If needed, we may then suggest on policy adjustments.

in addition to the HTTP request, can you supply the signature ID, example 200002747 so we can look at the rule on the backend?

From the description 'a div tag with a base64 encoded image.' This is a false positive based on the Attack signature regular expression matching on a random string in the bas64 string. You can disable that specific attack signature, but since you cannot control what string occurs when an image is converted to base 64, it would be difficult to prevent. We could give you more info with an example of the request.

The AWS WAF as a whole is not made well to deal with false positives and it can't replace F5 for critical sites. In the AWS WAF GUI overview logs for AWS waf you just see the request without any highlights about what part causes the issue and the only workaround is you to set the action to 'count'' for the subrule group t hat makes a security hole or create a custom allow rule with higher priority but as you don't know from the logs exactly what part of the request causes the false positive and you can't directly view the F5 AWS WAF rules or the Native AWS WAF rules you are making the custom allow rule hoping you are not making a security hole.