【Overview】
In this blog, we will show how to create a rule that blocks request that contains a specific string in the URI and check whether it is blocked. The string to be detected is "test.txt".
【Creating a Condition】
1. Select "String and regex matching" from the AWS WAF console.
2. Click “Create condition”.
3. On the next screen, perform the following steps:
・Name*:Enter an arbitrary name. We will use “test_txt”.
・Part of the request to filter on:Select “URI”.
・Matching type:Select “Contains”.
・Transformation:Select “None”.
・Value to match*:Enter "test.txt".
・Click “Add Filter” to add the condition.
4. Confirm the addition of filter in “Filters in this string match condition” and click “Create”.
5. Condition is created.
【Creating a Rule】
1. Select “Rules” from the AWS WAF console.
2. Click “Create rule”.
3. On the next screen, perform the following steps:
・Name*:Enter an arbitrary name. We will use “TEST_TXT_RULE”.
・Rule type*:Select “Regular rule”.
・Under “When a request”, select “does” / “match at least one of filters in the string match condition”.
・Select the condition “test_txt” you created earlier.
・Make sure that the contents of the conditions is reflected and click “Create”.
4. Rule is created.
【Adding to the ACL( Access Control List )】
1. Select “Web ACLs” from the AWS WAF console and click the target Web ACL.
2. Select the “Rules” tab.
3. Click “Edit web ACL”.
4. Select the rule “TEST_TXT_RULE” you created earlier and click “Add rule to web ACL”.
Under “If a request matches all the conditions in a rule, take the corresponding action”, select “Block” for action for this rule.
Next, for “Default action”, select “Allow all requests that don’t match any rules” and click “Update”.
※ “Default action” is an action for the requests that don’t match any rules and can be set as “Allow” or “Block”.
Please not that if this is set to “Block”, all requests except those allowed by the rules will be blocked.
5. Rule will be added to the Web ACL.
6. Now, let’s actually test it and see if it works.
We applied the rule and accessed「http://example.com」.
We were able to access without any problems.
7. Next, when we try to access the same with an SQL injection,
「http://example.com/test.txt」, a “403 Forbidden” error was returned.
【Summary】
This time we introduced a method to set a rule to block a request that contains a specific string in the URI with AWS WAF. Please try it yourself.