cancel
Showing results for 
Search instead for 
Did you mean: 

Detail of AWS WAF - Web Exploits Rules by F5's Rule

Chisato_Horimiz
Nimbostratus
Nimbostratus

When we upload the Excel file, it is blocked by Web Exploits Rules by F5's Rule.

 

please see below WAFlog.

-----------------------------------------------------------------------

{"timestamp":1637571625959,

"formatVersion":1,

"webaclId":"9e22227d-1fba-4844-a34b-43d35b20b2ae",

"terminatingRuleId":"8b270c08-5d30-4940-a5bb-02e74c11b38f",

"terminatingRuleType":"GROUP",

"action":"BLOCK",

"terminatingRuleMatchDetails":[],

"httpSourceName":"ALB",

"httpSourceId":"XXXXXXXXX-app/XXXXXXXXServer/XXXXXXXXXXXXXXXXXXX",

"ruleGroupList":[{"ruleGroupId":"8b270c08-5d30-4940-a5bb-02e74c11b38f",

"terminatingRule":{"ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36",

"action":"BLOCK",

"ruleMatchDetails":null},

"nonTerminatingMatchingRules":[],

"excludedRules":null}],

"rateBasedRuleList":[],

"nonTerminatingMatchingRules":[],

"requestHeadersInserted":null,

"responseCodeSent":null,

"httpRequest":{"clientIp":"XX.XXX.XX.XXX",

"country":"JP",

"headers":[{"name":"host",

"value":"xxxxxxxxxxxxxxxxxxxx.com"},

{"name":"content-length",

"value":"512302"},

{"name":"sec-ch-ua",

"value":"\"Google Chrome\";v=\"95\", \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\""},

{"name":"accept",

"value":"application/json, text/javascript, */*; q=0.01"},

{"name":"content-type",

"value":"multipart/form-data; boundary=----WebKitFormBoundaryN8QBl8AUNfmYGqws"},

{"name":"x-requested-with",

"value":"XMLHttpRequest"},

{"name":"sec-ch-ua-mobile",

"value":"?0"},

{"name":"user-agent",

"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"},

{"name":"sec-ch-ua-platform",

"value":"\"Windows\""},

{"name":"origin",

"value":"https://xxxxxxxxxxxxxxxxxxxxxxxxx.com "},

{"name":"sec-fetch-site",

"value":"same-origin"},

{"name":"sec-fetch-mode",

"value":"cors"},

{"name":"sec-fetch-dest",

"value":"empty"},

{"name":"referer",

"value":"https://xxxxxxxxxxxxxxxxxxxxx.com/xxxxx/xxxxxxx/xxxxxxxxx/xxxx"},

{"name":"accept-encoding ",

"value":"gzip, deflate, br"},

{"name":"accept-language",

"value":"ja,en-US;q=0.9,en;q=0.8"},

{"name":"cookie",

"value":"JSESSIONID=04DE9DEA76FDF48733FE23D7F5029B43; MP_PORTAL_SID=xxxxxxxxxxxxxxx; AWSALBTG=xxxxxx/xxxxxxxx; AWSALBTGCORS=xxxxxxxxx"}],

"uri":"/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxx/xxxxxxxx",

"args":"",

"httpVersion":"HTTP/2.0",

"httpMethod":"POST",

"requestId":"1-619b5c29-13a199306dd99bbd6753a9c9"}}

-----------------------------------------------------------------------

 

 

then, When we add "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" to WAF as White list, 

Excel file is not blocked & uploaded successfully.

so, We assume that it blocks Excel file.

 

what is the "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" ?

Cloud you let us know the detail of this ruleId?

Can we know what is wrong of Excle file?

 

thanks.

3 REPLIES 3

boneyard
MVP
MVP

you can download a file here that lists the ID and the type of attack

 

https://devcentral.f5.com/s/articles/f5-rules-for-aws-waf-rule-id-to-attack-type-reference-33105

 

for c0ae2d87-48f1-4813-9e91-3e723f8d7b36 that is Server Side Code Injection

 

so there probably is something inside the excel file that looks like a server side code injection. which i can imagine for files as they can contain all kind of texts that triggers something like that.

 

perhaps someone from the AWS WAF team can provide more details.

Thank you for your Answer.

Hi Boneyard,

I tried to download the csv file but it's failed to open because of interruption.
Can you please help me to identify the content of ruleGroupID: 863ec017-6edf-44c1-9995-9db6eaf817f1 and ruleID: 8516ab57-0a98-425c-8710-3fef0d7352ca ?

My app is blocked by that rule. I'd like to know what content of it so that I can fix it.

Regards,
Jason