We have enabled AWS WAF solution before my ALB and have SQL injection and XSS detection enabled. We have tried to setup a custom rule to check if the content-type is multipart\/form\-data* using regex.
We have set that custom rule with higher priority. When using the custom rule the images are uploaded but the script tags are not forbidden. Without having the custom rule if we try uploading the images one particular image alone is not getting uploaded and throws 403 forbidden.
Any hints on adding XSS and custom rule to allow image uploads?
I faced 403 issue in AWS firewall when I try to add image as multipart/form-data.
Some of the WAF rules which blocks the image upload are, AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY, AWS#AWSManagedRulesCommonRuleSet#GenericRFI_BODY, and AWS#AWSManagedRulesCommonRuleSet#CrossSiteScripting_BODY.
I solved this issue by uploading the image as base64 string instead of uploading as multipart/form-data.