是否可以在 AWS WAF 中添加安全 URL?
[英]is it possible to add safe URLs in AWS WAF?
问题描述
I know that AWS WAF is pretty dumb and non-configurable, but last time it becomes stricter.
我知道 AWS WAF 非常愚蠢且不可配置,但上次它变得更加严格。
We can't send even request to backend like:我们甚至不能像这样向后端发送请求:
POST https://our.url/page_id
{
"data": "<a></a>"
}
In this case awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body_RC_COUNT rule will be triggered.在这种情况下,将触发awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body_RC_COUNT规则。
I tried to find any ways how core-rule-set may be customized, but looks like it is impossible.我试图找到如何定制core-rule-set任何方法,但看起来这是不可能的。 But I want to trust that is my lack of search and it may be customized in some way.但我想相信这是我缺乏搜索,它可能会以某种方式定制。 If not, current WAF is simply unusable.否则,当前的 WAF 根本无法使用。 I can't imagine case when it may be used with these strict non-editable standard rules.我无法想象它可能与这些严格的不可编辑的标准规则一起使用的情况。
So the question is: Is it possible to set some safe domains (like https://our.url ) that will be passed without blocking?所以问题是:是否可以设置一些安全域(如https://our.url )来传递而不阻塞? Or maybe some ways to allow <a> tag for example?或者也许有些方法允许<a>例如标签?
2 个解决方案
解决方案1
0 2023-01-28 22:58:18
You can customize the action on the AWS managed rule in this way:您可以通过这种方式自定义对 AWS 托管规则的操作:
- Edit the AWS managed core set and change the rule action to: "Override to Count".编辑 AWS 托管核心集并将规则操作更改为:“Override to Count”。 Take note of the aws label for this rule (something like "awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body")记下此规则的 aws label(类似于“awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body”)
- Create a new rule that you add the end of all existing rules.创建一个新规则,将其添加到所有现有规则的末尾。 This new rule should trigger on conditions (1) Statement "has a label", where you specify the above label (2) url matches the url you want to let through.这条新规则应该在以下条件下触发 (1) 语句“有标签”,您在其中指定上面的 label (2) url 匹配您要让通过的 url。 Specify the action as "Allow"将操作指定为“允许”
- Create a new rule that you add after the previous rule.创建在上一条规则之后添加的新规则。 This rule should trigger on same condition (1).此规则应在相同条件 (1) 上触发。 Specify the action as "Block"将操作指定为“阻止”
解决方案2
0 2023-01-30 03:54:33
Based on @Chris answer:基于@Chris 的回答:
- Add
AWSManagedRulesCommonRuleSetand override Action toCountfor desired Rule (CrossSiteScripting_BODYin my case) (if you have to allow safe URLs inside query parameters,CrossSiteScripting_QUERYARGUMENTSshould be changed same way, etc.)添加AWSManagedRulesCommonRuleSet并覆盖 Action toCount以获得所需的规则(在我的例子中是CrossSiteScripting_BODY)(如果您必须在查询参数中允许安全 URL,应以相同的方式更改CrossSiteScripting_QUERYARGUMENTS,等等) - Add custom rule
allow-safe-URLswithBlockaction that will block all requests withCrossSiteScripting_BODYlabel and with JSON body that don't match<[ ]*a[\-_a-zA-Z0-9 ='"()]*href[ ]*=[ "']https:\/\/([a-zA-Z0-9\-]+\.)?example\.com[ "']*>*.<[ ]*\/[ ]*a[ ]*>RegEx. (only<a href=https://example.com>xxx</a>or<a href=https://anysubdomain.example.com>xxx</a>will be detected as safe)添加带有Block操作的自定义规则allow-safe-URLs,该操作将阻止所有带有CrossSiteScripting_BODYlabel 和 JSON 正文且不匹配<[ ]*a[\-_a-zA-Z0-9 ='"()]*href[ ]*=[ "']https:\/\/([a-zA-Z0-9\-]+\.)?example\.com[ "']*>*.<[ ]*\/[ ]*a[ ]*>请求<[ ]*a[\-_a-zA-Z0-9 ='"()]*href[ ]*=[ "']https:\/\/([a-zA-Z0-9\-]+\.)?example\.com[ "']*>*.<[ ]*\/[ ]*a[ ]*>正则表达式。(仅<a href=https://example.com>xxx</a>或<a href=https://anysubdomain.example.com>xxx</a>将被检测为安全) - Last default action should be
Allow.最后的默认操作应该是Allow。
Final JSON of the WEB ACL will be looks like: WEB ACL 的最终 JSON 将如下所示:
{
"Name": "test-waf",
"Id": "some-uuid-of-web-acl",
"ARN": "arn:aws:wafv2:us-east-1:1234567890:regional/webacl/test-waf/some-uuid-of-web-acl",
"DefaultAction": {
"Allow": {}
},
"Description": "Web ACL for URL whitelisting tests",
"Rules": [
{
"Name": "AWS-AWSManagedRulesCommonRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet",
"Version": "Version_1.5",
"RuleActionOverrides": [
{
"Name": "CrossSiteScripting_BODY",
"ActionToUse": {
"Count": {}
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesCommonRuleSet"
}
},
{
"Name": "allow-safe-URLs",
"Priority": 1,
"Statement": {
"AndStatement": {
"Statements": [
{
"NotStatement": {
"Statement": {
"RegexMatchStatement": {
"RegexString": "<[ ]*a[\\-_a-zA-Z0-9 ='\"()]*href[ ]*=[ \"']https:\\/\\/([a-zA-Z0-9\\-]+\\.)?example\\.com[ \"']*>*.<[ ]*\\/[ ]*a[ ]*>",
"FieldToMatch": {
"JsonBody": {
"MatchPattern": {
"All": {}
},
"MatchScope": "VALUE",
"InvalidFallbackBehavior": "EVALUATE_AS_STRING",
"OversizeHandling": "MATCH"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
}
}
},
{
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body"
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "allow-safe-URLs"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-waf"
},
"Capacity": 707,
"ManagedByFirewallManager": false,
"LabelNamespace": "awswaf:1234567890:webacl:test-waf:"
}
WARNING : this JSON is just a simple reproducible example (Proof of concept).警告:这个 JSON 只是一个简单的可重现示例(概念证明)。 And this configuration vulnerable for attacks with body like: <a href=https://example.com></a><a href=https://www.evil-url.com></a> .并且此配置容易受到以下正文攻击: <a href=https://example.com></a><a href=https://www.evil-url.com></a> 。 RegEx also may be vulnerable. RegEx 也可能容易受到攻击。 You have to check if ONLY safe URLs included in body.您必须检查正文中是否仅包含安全 URL。 Actual checking (URL-matching) logic should be more complicated.实际检查(URL 匹配)逻辑应该更复杂。 Don't use it as is (by copy/paste).不要按原样使用它(通过复制/粘贴)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.