Understanding why amazon waf is blocking a request

Question

My web application has a form which accepts html.

The browser sends an HTTP/PUT ajax call with a json body and this format:

{
    "de": "",
    "en": "<p>Evil Corp will process the Data that is strictly necessary\\nand reserves the right to delete or anonymize immediately any Data that\\nis not necessary.</p>\\n<p>from</p>",
    "es": "",
    "fr": "",
    "it": ""
  },
  "notes": {
    "de": "",
    "en": "",
    "es": "",
    "fr": "",
    "it": ""
  }
}

I have a problem with the AWS WAF, when the content contains the following string:

<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>from</p>

The WAF returns 403 error and the request is rejected.

I have no problem if the content contains other strings, such as:

<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>hello world</p>

Both are considered valid contents for my application.

The WAF is configured as follows: AWS Classic WAF's "Cyber Security Cloud Managed Rules for AWS WAF -HighSecurity OWASP Set-".

I'd like to understand:

• which is the rule which blocks the request?
• why is this content considered dangerous?
• can I transform my request in a way that make it acceptable for AWS WAF?
• can I configure the AWS WAF to make it accept this kind of content?

Answer 1

Have you enabled the access logging on your AWS WAF WebACL?

Once you enable it, you can get the information inside the log that which rule has blocked your content. Then, you can answer your following questions.

Here is your reference:

• WAFv2: https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html
• WAF Classic: https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html