Forum Discussion

kepler's avatar
kepler
Icon for Nimbostratus rankNimbostratus
Aug 30, 2023

Help with investigating the cause for blocked request

Hi,
We are subscribed to F5 Rules for AWS WAF - Web exploits OWASP Rules via AWS Marketplace and use it for our WAF config.

We see some requests are getting blocked and see which rule triggers it. However it is not clear from the log what is exactly the reason for this. I suspect it is because of the size of the body of the request.

Please help understanding the exact reason and what can we do to fix it.

Log entry:
{
"timestamp": 1693206543488,
"formatVersion": 1,
"webaclId": "",
"terminatingRuleId": "F5-OWASP",
"terminatingRuleType": "MANAGED_RULE_GROUP",
"action": "BLOCK",
"terminatingRuleMatchDetails": [
{
"conditionType": "REGEX",
"location": "BODY",
"matchedData": null
}
],
"httpSourceName": "ALB",
"httpSourceId": "",
"ruleGroupList": [
{
"ruleGroupId": "F5#OWASP_Managed",
"terminatingRule": {
"ruleId": "rule_XSS_script_tag__Parameter__AllQueryArguments_Body",
"action": "BLOCK",
"ruleMatchDetails": null
},
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
}
],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": { redacted },
"oversizeFields": [
"REQUEST_BODY"
],
"requestBodySize": 49642,
"requestBodySizeInspectedByWAF": 8192
}

  • The ruleid _XSS_script_tag__Parameter__AllQueryArguments_Body suggests a XSS script tag detected (> or < signs), could you check your request payload and confirm that?

    • kepler's avatar
      kepler
      Icon for Nimbostratus rankNimbostratus

      Hi Amine_Kadimi ,

      Thanks for reply.

      Yes the body of the request has "<>" because it's an xml.

      What's the best way to exclude it and do you have any documentation on what exactly is checked by your rules?

      Thanks!