Forum Discussion
Giridharan_2650
Nimbostratus
Apr 19, 2018AWS F5 Managed WAF rules not blocking the vulnerabilities
We have subscribed to the AWS Managed WAF rules in our AWS instance and attached with to a WEB ACL and ALB for testing . The default condition for the Rule Set is configured to block and we tried inj...
Adrien_Legros_1
Altostratus
Feb 17, 2011Thanks Aaron for your answer but I do not understand how I could not use the variables as I need to keep the first url used by the client to modify the uri after the redirection. For example:
Request 1 is: https://app1.be/secureapp1
Our server redirect the user to https://app1.be/loginproxy (but I need to keep the first url in the headers as the backend will use it to write the next redirection.
Request 2: The client goes to https://app1.be/authentication a cookie is done and the server perform another redirection to the URL written in the header (target = $$road)
Request 3: the user go to the first url with the authentication information.
Problem is, with my irule, when the client goes to /loginproxy, when I insert the content of the variable in the header, variable seems not to exist. I can not use directly HTTP::uri is it no more the first url requested.
Thanks.
- Giridharan_2650May 20, 2018
Nimbostratus
Nir Zigler, Thanks for your response . Test cases in the following OWASP link were tried against the managed WAF rules and it was not getting blocked (https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)) . Do we have any reference to the attack patterns that the rule set covers