Currently my WAF is blocking requests that contain a reference to a resource on my own domain. For example the body of a request can look like :
{
"myPicture": "https://example.com/user1/profilePicture",
"username": "user1"
}
I could ignore violations of GenericRFI_BODY but this would expose me to links hosted anywhere.
Can I not add an extra rule which allows requests that contain a link to my domain.
For first the AWS common rules set which includes GenericRFI_Body:
Priority: 0
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWS-AWSManagedRulesCommonRuleSet
And then something in the like this to allow links to my own domain:
- Name: AllowOwnDomain
Priority: 1
Statement:
AndStatement:
Statements:
- LabelMatchStatement:
Scope: LABEL
Key: awswaf:managed:aws:common-rule-set:signal:genericRFI_BODY
- NotStatement:
Statement:
ByteMatchStatement:
FieldToMatch:
JsonBody:
MatchPattern: "https://example.com"
MatchScope: VALUE
PositionalConstraint: CONTAINS
TextTransformations:
- Priority: 0
Type: NONE
Action:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AllowOwnDomain
The above is not working. How can something like this be done? (Keep the Generic_RFIBody statement in place but create an exception for your own domain)
