简体繁体 English

AWS WAF 在尝试上传图像时出现 403 禁止错误

[英]AWS WAF Getting 403 forbidden error while trying to upload an image

原文 2020-11-16 05:35:04 0 3 amazon-web-services/ xss/ amazon-waf

We have enabled AWS WAF solution before my ALB and have SQL injection and XSS detection enabled.我们在我的 ALB 之前启用了 AWS WAF 解决方案，并启用了 SQL 注入和 XSS 检测。 We have tried to setup a custom rule to check if the content-type is multipart/form-data* using regex.我们尝试设置自定义规则，以使用正则表达式检查内容类型是否为 multipart/form-data*。

We have set that custom rule with higher priority.我们已经设置了具有更高优先级的自定义规则。 When using the custom rule the images are uploaded but the script tags are not forbidden.使用自定义规则时，上传图像但不禁止脚本标签。 Without having the custom rule if we try uploading the images one particular image alone is not getting uploaded and throws 403 forbidden.如果我们尝试上传图像，而没有自定义规则，则单独一张特定的图像不会被上传并抛出 403 禁止。

Any hints on adding XSS and custom rule to allow image uploads?关于添加 XSS 和自定义规则以允许图像上传的任何提示？

3 个解决方案

转到您的Web访问控制列表，点击编辑AWS-AWSManagedRulesCommonRuleSet，使覆盖规则的行动为True规则SizeRestrictions_BODY

Check your image metadata.检查您的图像元数据。 I recently encountered this issue, and was getting the "GenericRFI_BODY" error in the ACL logs.我最近遇到了这个问题，并且在 ACL 日志中收到了“GenericRFI_BODY”错误。 It turns out the test image I was uploading had an illegal path in its exif data.事实证明，我上传的测试图像在其 exif 数据中有一个非法路径。 There was a URL that pointed to the site where the image came from in some metadata field, and the "://" pattern in that URL was triggering the rule.有一个 URL 指向某个元数据字段中图像来自的站点，并且该 URL 中的“：//”模式触发了规则。 Stripping the metadata from the image allowed it to upload.从图像中剥离元数据允许它上传。

I strongly discourage base64 encoding to circumvent firewall rules.我强烈反对使用 base64 编码来规避防火墙规则。 This will bloat the size of your files, and multipart/form-data exists specifically to stream large binaries back and forth from client to server - not to post massive serialized text blocks.这会增加文件的大小，并且 multipart/form-data 专门用于在客户端和服务器之间来回传输大型二进制文件 - 而不是发布大量序列化的文本块。

Here's the RFC: https://www.ietf.org/rfc/rfc2388.txt这是 RFC： https : //www.ietf.org/rfc/rfc2388.txt

I faced 403 issue in AWS firewall when I try to add image as multipart/form-data.当我尝试将图像添加为 multipart/form-data 时，我在 AWS 防火墙中遇到了 403 问题。

Some of the WAF rules which blocks the image upload are, AWS#AWSManagedRulesSQLiRuleSet#GenericRFI_BODY, AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY and AWS#AWSManagedRulesCommonRuleSet#CrossSiteScripting_BODY.一些阻止图像上传的 WAF 规则是 AWS#AWSManagedRulesSQLiRuleSet#GenericRFI_BODY、AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY 和 AWS#AWSManagedRulesCommonRuleSet#CrossSiteScripting_BODY。

I solved this issue by uploading the image as base64 string instead of uploading as multipart/form-data.我通过将图像上传为 base64 字符串而不是上传为 multipart/form-data 解决了这个问题。