我的web应用程序有一个接受html的表单。
浏览器发送一个HTTP/PUT-ajax调用,该调用带有json主体,格式如下:
{
"de": "",
"en": "<p>Evil Corp will process the Data that is strictly necessary\nand reserves the right to delete or anonymize immediately any Data that\nis not necessary.</p>\n<p>from</p>",
"es": "",
"fr": "",
"it": ""
},
"notes": {
"de": "",
"en": "",
"es": "",
"fr": "",
"it": ""
}
}
当内容包含以下字符串时,我对AWS WAF有问题:
<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>from</p>
WAF返回403错误,并且该请求被拒绝。
如果内容包含其他字符串,例如:,我没有问题
<p>Evil Corp will process the Data that is strictly necessary
and reserves the right to delete or anonymize immediately any Data that
is not necessary.</p>
<p>hello world</p>
两者都被认为是我申请的有效内容。
WAF配置如下:AWS Classic WAF的";AWS WAF的网络安全云管理规则-高安全OWASP集-";。
我想了解:
- 阻止请求的规则是什么
- 为什么这些内容被认为是危险的
- 我能以一种让AWS WAF可以接受的方式转换我的请求吗
- 我可以配置AWS WAF使其接受此类内容吗
您是否已在AWS WAF WebACL上启用访问日志记录?
启用后,您可以在日志中获取哪些规则阻止了您的内容的信息。然后,你可以回答以下问题。
这是您的参考资料:
- WAFv2:https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html
- WAF经典:https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html