Forum Discussion

a-vg-ops's avatar
Icon for Nimbostratus rankNimbostratus
Aug 25, 2022

AWS WAF ruleset OWASP_Managed rule SSRF_attempt_AllQueryArguments_Body

In our Amazon project, WAF blocks legitimate requests according to the rule_SSRF_attempt_AllQueryArguments_Body rule.
How can I find out the reasons and allow traffic to pass without affecting security?

3 Replies

  • A signature based WAF is just that.  To bypass a signature, the signature must be disabled.  AWS WAF and all the managed rules on top of it fight this category.   If you need a WAF this is highly tuned to your application stack then you will need to look for a more robust WAF such as Adv. WAF. 

  • If you export the AWS WAF logs to a log_group you can get detailed information about what happend.  Look for the terminating rule ID, you can then disable the rule within the rule group.   On the question of not impacting security, the rules are created off know good (reliable signatures) so by disabling a rule to allow traffic that matches a known good signature you will also allow bad actors that are attempting to use that signature.  You will need to ensure that your applicaition and supporting infrastructure are appropriatley hardened to mitigate the risk of allow the traffic. 

    { "ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": { "ruleId": "JavaDeserializationRCE_HEADER", "action": "BLOCK", "ruleMatchDetails": null }, "nonTerminatingMatchingRules": [ { "ruleId": "JavaDeserializationRCE_HEADER_RC_COUNT", "action": "COUNT", "ruleMatchDetails": []
    • a-vg-ops's avatar
      Icon for Nimbostratus rankNimbostratus

      Thank you very much for the answer. Log Output : 

      { "ruleGroupId": AWS#AWSManagedRulesBotControlRuleSet",  "terminatingRule": null,  "nonTerminatingMatchingRules": [],        "excludedRules": null, "ruleActionOverrides": null }, {"ruleGroupId": AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null,            "nonTerminatingMatchingRules": [], "excludedRules": null,  "ruleActionOverrides": null },   { "ruleGroupId": "F5#OWASP_Managed",  "terminatingRule": { "ruleId": "rule_SSRF_attempt_AllQueryArguments_Body",             "action": "BLOCK", "ruleMatchDetails": null  },  "nonTerminatingMatchingRules": [],  "excludedRules": null,             "ruleActionOverrides": null }

      We cannot disable the rule, as this will affect the security of the system. What do we need to do to set up traffic flow?
      We can provide the details of the http request.