0

We have our application set up on Amazon Web Services behind an ALB (Application Load Balancer) with a AWS WAF (Web Application Firewall). The WAF includes a rule to block SQL injection attempts using a set of conditions provided by Amazon.

The problem is that certain form fields in the system are designed to be used for generic notes, and the WAF is overly aggressive at filtering this input. An example note:

You shouldn't have more than one "and" in this sentence

The form that submits this request gets blocked (403 Forbidden) because of the "and" (including the quotes).

Is there a way to modify our application or the WAF configuration to prevent it from blocking these types of requests?

We have had multiple instances of broad SQL injection probe attacks in our past, so while we have made a concentrated effort to patch any security holes at the application level, we'd really like to be able to keep the WAF as an additional layer of protection over the whole application.

thelr
  • 140
  • 8

1 Answers1

0

So the solution I found was to add a whitelist rule. Basically, I create a string-matching condition for the URI of this particular request, created a new "Whitelist" rule with it, and added it as the first rule in my ACL with "Allow" as the action. My understanding is that this means that requests to this URI are automatically passed though, and are not tested against the SQL-Injection rules lower on the list. This does work - I can submit strings that are SQL injection to the page in question, but other pages are still protected.

Obviously I need to be extra cautious that the page in question is not vulnerable to this type of attack, but I retain my protection layer on the rest of the application.

I'm still open to accepting another answer if someone can describe a better solution.

thelr
  • 140
  • 8