Detail of AWS WAF - Web Exploits Rules by F5's Rule

Chisato_Horimiz · ‎24-Nov-2021

When we upload the Excel file, it is blocked by Web Exploits Rules by F5's Rule.

please see below WAFlog.

-----------------------------------------------------------------------

{"timestamp":1637571625959,

"formatVersion":1,

"webaclId":"9e22227d-1fba-4844-a34b-43d35b20b2ae",

"terminatingRuleId":"8b270c08-5d30-4940-a5bb-02e74c11b38f",

"terminatingRuleType":"GROUP",

"action":"BLOCK",

"terminatingRuleMatchDetails":[],

"httpSourceName":"ALB",

"httpSourceId":"XXXXXXXXX-app/XXXXXXXXServer/XXXXXXXXXXXXXXXXXXX",

"ruleGroupList":[{"ruleGroupId":"8b270c08-5d30-4940-a5bb-02e74c11b38f",

"terminatingRule":{"ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36",

"action":"BLOCK",

"ruleMatchDetails":null},

"nonTerminatingMatchingRules":[],

"excludedRules":null}],

"rateBasedRuleList":[],

"nonTerminatingMatchingRules":[],

"requestHeadersInserted":null,

"responseCodeSent":null,

"httpRequest":{"clientIp":"XX.XXX.XX.XXX",

"country":"JP",

"headers":[{"name":"host",

"value":"xxxxxxxxxxxxxxxxxxxx.com"},

{"name":"content-length",

"value":"512302"},

{"name":"sec-ch-ua",

"value":"\"Google Chrome\";v=\"95\", \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\""},

{"name":"accept",

"value":"application/json, text/javascript, */*; q=0.01"},

{"name":"content-type",

"value":"multipart/form-data; boundary=----WebKitFormBoundaryN8QBl8AUNfmYGqws"},

{"name":"x-requested-with",

"value":"XMLHttpRequest"},

{"name":"sec-ch-ua-mobile",

"value":"?0"},

{"name":"user-agent",

"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"},

{"name":"sec-ch-ua-platform",

"value":"\"Windows\""},

{"name":"origin",

"value":"https://xxxxxxxxxxxxxxxxxxxxxxxxx.com "},

{"name":"sec-fetch-site",

"value":"same-origin"},

{"name":"sec-fetch-mode",

"value":"cors"},

{"name":"sec-fetch-dest",

"value":"empty"},

{"name":"referer",

"value":"https://xxxxxxxxxxxxxxxxxxxxx.com/xxxxx/xxxxxxx/xxxxxxxxx/xxxx"},

{"name":"accept-encoding ",

"value":"gzip, deflate, br"},

{"name":"accept-language",

"value":"ja,en-US;q=0.9,en;q=0.8"},

{"name":"cookie",

"value":"JSESSIONID=04DE9DEA76FDF48733FE23D7F5029B43; MP_PORTAL_SID=xxxxxxxxxxxxxxx; AWSALBTG=xxxxxx/xxxxxxxx; AWSALBTGCORS=xxxxxxxxx"}],

"uri":"/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxx/xxxxxxxx",

"args":"",

"httpVersion":"HTTP/2.0",

"httpMethod":"POST",

"requestId":"1-619b5c29-13a199306dd99bbd6753a9c9"}}

-----------------------------------------------------------------------

then, When we add "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" to WAF as White list,

Excel file is not blocked & uploaded successfully.

so, We assume that it blocks Excel file.

what is the "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" ?

Cloud you let us know the detail of this ruleId?

Can we know what is wrong of Excle file?

thanks.

boneyard · ‎27-Nov-2021

you can download a file here that lists the ID and the type of attack

https://devcentral.f5.com/s/articles/f5-rules-for-aws-waf-rule-id-to-attack-type-reference-33105

for c0ae2d87-48f1-4813-9e91-3e723f8d7b36 that is Server Side Code Injection

so there probably is something inside the excel file that looks like a server side code injection. which i can imagine for files as they can contain all kind of texts that triggers something like that.

perhaps someone from the AWS WAF team can provide more details.

Chisato_Horimiz · ‎01-Dec-2021

Thank you for your Answer.

jason_dang · ‎04-May-2022

Hi Boneyard,

I tried to download the csv file but it's failed to open because of interruption.
Can you please help me to identify the content of ruleGroupID: 863ec017-6edf-44c1-9995-9db6eaf817f1 and ruleID: 8516ab57-0a98-425c-8710-3fef0d7352ca ?

My app is blocked by that rule. I'd like to know what content of it so that I can fix it.

Regards,
Jason

DevCentral

Detail of AWS WAF - Web Exploits Rules by F5's Rule

Khoros Kudos Award 2022