Menu
We have enabled AWS WAF solution before my ALB and have SQL injection and XSS detection enabled. We have tried to setup a custom rule to check if the content-type is multipart/form-data* using regex.
We have set that custom rule with higher priority. When using the custom rule the images are uploaded but the script tags are not forbidden. Without having the custom rule if we try uploading the images one particular image alone is not getting uploaded and throws 403 forbidden.
Any hints on adding XSS and custom rule to allow image uploads?
620
Check your image metadata. I recently encountered this issue, and was getting the "GenericRFI_BODY" error in the ACL logs. It turns out the test image I was uploading had an illegal path in its exif data. There was a URL that pointed to the site where the image came from in some metadata field, and the "://" pattern in that URL was triggering the rule. Stripping the metadata from the image allowed it to upload.
I strongly discourage base64 encoding to circumvent firewall rules. This will bloat the size of your files, and multipart/form-data exists specifically to stream large binaries back and forth from client to server - not to post massive serialized text blocks.
Here's the RFC: https://www.ietf.org/rfc/rfc2388.txt
154
Goto your Web ACL and click on edit AWS-AWSManagedRulesCommonRuleSet and make Override rules action to True for rule SizeRestrictions_BODY
6
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
