cancel
Showing results for 
Search instead for 
Did you mean: 

AWS WAF ruleset OWASP_Managed rule SSRF_attempt_AllQueryArguments_Body

a-vg-ops
Nimbostratus
Nimbostratus

In our Amazon project, WAF blocks legitimate requests according to the rule_SSRF_attempt_AllQueryArguments_Body rule.
How can I find out the reasons and allow traffic to pass without affecting security?

3 REPLIES 3

Heath_Parrott
F5 Employee
F5 Employee

If you export the AWS WAF logs to a log_group you can get detailed information about what happend.  Look for the terminating rule ID, you can then disable the rule within the rule group.   On the question of not impacting security, the rules are created off know good (reliable signatures) so by disabling a rule to allow traffic that matches a known good signature you will also allow bad actors that are attempting to use that signature.  You will need to ensure that your applicaition and supporting infrastructure are appropriatley hardened to mitigate the risk of allow the traffic. 

{ "ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": { "ruleId": "JavaDeserializationRCE_HEADER", "action": "BLOCK", "ruleMatchDetails": null }, "nonTerminatingMatchingRules": [ { "ruleId": "JavaDeserializationRCE_HEADER_RC_COUNT", "action": "COUNT", "ruleMatchDetails": []

Thank you very much for the answer. Log Output : 

{ "ruleGroupId": AWS#AWSManagedRulesBotControlRuleSet",  "terminatingRule": null,  "nonTerminatingMatchingRules": [],        "excludedRules": null, "ruleActionOverrides": null }, {"ruleGroupId": AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null,            "nonTerminatingMatchingRules": [], "excludedRules": null,  "ruleActionOverrides": null },   { "ruleGroupId": "F5#OWASP_Managed",  "terminatingRule": { "ruleId": "rule_SSRF_attempt_AllQueryArguments_Body",             "action": "BLOCK", "ruleMatchDetails": null  },  "nonTerminatingMatchingRules": [],  "excludedRules": null,             "ruleActionOverrides": null }

We cannot disable the rule, as this will affect the security of the system. What do we need to do to set up traffic flow?
We can provide the details of the http request.

 

Heath_Parrott
F5 Employee
F5 Employee

A signature based WAF is just that.  To bypass a signature, the signature must be disabled.  AWS WAF and all the managed rules on top of it fight this category.   If you need a WAF this is highly tuned to your application stack then you will need to look for a more robust WAF such as Adv. WAF.