Possible False Positive for OWASP rule in AWS - div_tag_parameter_AllQueryArguments_Body
We have a WordPress website and we just recently enabled the F5-OWASP_Managed Rule set in AWS. I noticed we had had over 50 requests blocked from users within our network. It looks like they were attempting to save the page among other valid type requests. The rule that is blocking the request is "rule_div_tag__behavior__Parameter__AllQueryArguments_Body" I've currently set the blocking rule to "Override to Allow" but I would prefer to not have this rule set to this, but I do not wish to have our site editors blocked from making valid site updates. I have a downloaded CSV from Cloudwatch of all the blocked requests with the parameters, etc.
F5 Rules for AWS WAF - API Security Rules (Requesting a Trial)
Hi, We have deployed the AWS WAF in our AWS account and we would like to enable and evaluate the API Security Ruleset available in the AWS Marketplace on a SOAP API environment. We would like to know whether it is possible to evaluate the rules before purchasing by requesting a trial for a short time period so that we can evaluate the efficacy of the rules against targeted attacks towards SOAP APIs. This will be greatly helpful to us in making purchasing decisions.AWS WAF Rule F5-OWASP_Managed custom response
Hi! We are using AWS WAF managed rule 'F5-OWASP_Managed'. I would like to create a WAF custom response when requests are blocked by this rule. To do so I need to change the rule from block to count, and capture labels assigned by this rule in a WAF custom rule. When looking into the AWS WAF console I cannot see any labels assigned to this WAF rule? Can somebody please tell me if this rule assigns labels, and, which one? Thanks
Help with investigating the cause for blocked request
Hi, We are subscribed to F5 Rules for AWS WAF - Web exploits OWASP Rules via AWS Marketplace and use it for our WAF config. We see some requests are getting blocked and see which rule triggers it. However it is not clear from the log what is exactly the reason for this. I suspect it is because of the size of the body of the request. Please help understanding the exact reason and what can we do to fix it. Log entry: { "timestamp": 1693206543488, "formatVersion": 1, "webaclId": "", "terminatingRuleId": "F5-OWASP", "terminatingRuleType": "MANAGED_RULE_GROUP", "action": "BLOCK", "terminatingRuleMatchDetails": [ { "conditionType": "REGEX", "location": "BODY", "matchedData": null } ], "httpSourceName": "ALB", "httpSourceId": "", "ruleGroupList": [ { "ruleGroupId": "F5#OWASP_Managed", "terminatingRule": { "ruleId": "rule_XSS_script_tag__Parameter__AllQueryArguments_Body", "action": "BLOCK", "ruleMatchDetails": null }, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null } ], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { redacted }, "oversizeFields": [ "REQUEST_BODY" ], "requestBodySize": 49642, "requestBodySizeInspectedByWAF": 8192 }
Body Size Limit F5 AWS WAF managed rule
I am subscribing theF5-OWASP_Managed then attach it to my AWS WAF. I am seeking a solution to block OWASP attack that happen on body. my question is: does the F5 managed rule group follows the AWS body size inspection limit (16 KB), or it has different limit? thank you
url rewrite to avoid third level domain still make sense?
Hello everyone. I've been using f5 in a simple way for some years - I'm not an expert - but i have always implemented the visibility of sites with third-level domains for example: https://company.com/test -> redirect to https://test.company.com for my application or site. Now the business request has changed, they no longer want to see the third level url (https://test.company.com/) but always https://company.com/test/ecc.ecc.ecc i suppose i should implement heavy url rewrite rules. The question is, the url rewrite to avoid third level domain still make sense, is it still valid, or does it turn out to be deprecated for some reason? or for simplicity the third level domain remains the best solution? Thanks to everyone Alberto
