Forum Discussion

Andy101's avatar
Andy101
Icon for Nimbostratus rankNimbostratus
Jul 23, 2021

False Positive on AWS WAF F5 Managed Rule F5#OWASP_Managed#rule_div_tag__behavior__Parameter__AllQueryArguments_Body

Hello

 

I'm not sure if this is a question for AWS support or F5 but I'll start with F5support.

 

We recently enabled 2 sets of rules on a AWS WAFv2 from F5 (F5-CVE_Managed and F5-OWASP_Managed).

 

Once we did we started seeing a false positive for an API call with the following rule...

 

F5#OWASP_Managed#rule_div_tag__behavior__Parameter__AllQueryArguments_Body

 

After some further investigation we discovered the rule is tripped when we make a request which contains embeded HTML in the body and this HTML contains a div tag with a base64 encoded image.

 

Can you give us more background information on exactly what this rule is doing and how we should go about avoiding this false positive?

 

Andy

4 Replies

  • Hi there!

     

    Unlike traditional, full blown WAF security solutions, the content of F5 rules is not visible and cannot be viewed.

    We have the rule. The next step is to Get better details of the http request that was blocked. Can you paste the HTTP request that was blocked? We need more details than the info above. We will confirm whether the rule blocked a true malicious request or not. If needed, we may then suggest on policy adjustments.

  • in addition to the HTTP request, can you supply the signature ID, example 200002747 so we can look at the rule on the backend?

  • From the description 'a div tag with a base64 encoded image.' This is a false positive based on the Attack signature regular expression matching on a random string in the bas64 string. You can disable that specific attack signature, but since you cannot control what string occurs when an image is converted to base 64, it would be difficult to prevent. We could give you more info with an example of the request.

     

  • The AWS WAF as a whole is not made well to deal with false positives and it can't replace F5 for critical sites. In the AWS WAF GUI overview logs for AWS waf you just see the request without any highlights about what part causes the issue and the only workaround is you to set the action to 'count'' for the subrule group t hat makes a security hole or create a custom allow rule with higher priority but as you don't know from the logs exactly what part of the request causes the false positive and you can't directly view the F5 AWS WAF rules or the Native AWS WAF rules you are making the custom allow rule hoping you are not making a security hole.