Search code examples
amazon-waf

is it possible to add safe URLs in AWS WAF?

I know that AWS WAF is pretty dumb and non-configurable, but last time it becomes stricter.

We can't send even request to backend like:

POST https://our.url/page_id

{
    "data": "<a></a>"
}

In this case awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body_RC_COUNT rule will be triggered.

I tried to find any ways how core-rule-set may be customized, but looks like it is impossible. But I want to trust that is my lack of search and it may be customized in some way. If not, current WAF is simply unusable. I can't imagine case when it may be used with these strict non-editable standard rules.

So the question is: Is it possible to set some safe domains (like https://our.url) that will be passed without blocking? Or maybe some ways to allow <a> tag for example?

Solution

  • You can customize the action on the AWS managed rule in this way:

    • Edit the AWS managed core set and change the rule action to: "Override to Count". Take note of the aws label for this rule (something like "awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body")
    • Create a new rule that you add the end of all existing rules. This new rule should trigger on conditions (1) Statement "has a label", where you specify the above label (2) url matches the url you want to let through. Specify the action as "Allow"
    • Create a new rule that you add after the previous rule. This rule should trigger on same condition (1). Specify the action as "Block"