Problem with ACL AWS Regex Comparation Rule

0
votes

I've been trying to put a WAF on a load-balancer at AWS.

There is a parameter inside my web application (but it is only used in one url, not in all) which I left on purpose with a command injection vulnerability, to fix this I decided to fix it using AWS ACL and putting a Regex rule telling it that when the "path" parameter doesn't match the regular expression I should block and as default action of the ACL I should leave allow.

The result is that all the requests that I am making are output with 403 with or without a path parameter. The truth is that I can't find any material about this rule and I don't know what I'm doing wrong, I attach pictures.

https://i.stack.imgur.com/K6rCm.png
https://i.stack.imgur.com/R69Lv.png
https://i.stack.imgur.com/gYVBL.png
https://i.stack.imgur.com/LfyHg.png
1
regexamazon-web-servicesaclfirewallrules
Sorry if i put the images in a code block, i'm new user and i dont have the 10 reputation - OrlandoGK
please include some sample text and required result as people who are good with Regex might not be familiar of AWS terminology .. - farooq
@farooq The problem is not with the regex i test a lot that in regex101.com and with Java, the problem is the configuration of the rule that compare Regex with the URL parameter - OrlandoGK
Ok there are different variations of Regex syntax maybe your application is using a different variety of Regex . - farooq
The "path" parameter you defined is not the request path, it's a query string parameter named "path." I mention that because I was momemtarily confused by this. Now... your rule denies any request where the value of this parameter doesn't match the regex or -- presumably -- any request where this parameter is absent. - Michael - sqlbot

1 Answers

0
votes

Think what you want is to set the rule on URI, not query arg. The query arg only looks at value of attribute, which is stuff that comes after ? in the URI.

https://en.wikipedia.org/wiki/Uniform_Resource_Identifier

Also, WAF supports standard Perl Compatible Regular Expressions (PCRE) with some exceptions:

https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-creating.html

Lastly, why not use the WAFv2? Seems like you are still using WAF Classic.