search

amazon-archives / aws-waf-sample

This repository contains example scripts and sets of rules for the AWS WAF service. Please be aware that the applicability of these examples to specific workloads may vary.
MIT No Attribution
512 stars 235 forks source link

AWS Waf does not work on JSON body for SQLi / XSS #37

Open coucou127 opened 4 years ago

coucou127 commented 4 years ago

Hi,

The following request is not blocked by SQLi rule, even SQLMap was not intercepted :

Host: host.com
Connection: close
Content-Length: 71
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Sec-Fetch-Mode: cors
Content-Type: application/json
Sec-Fetch-Site: same-site
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: AWSALB=AWSLAB

{"email":"COUCOU' OR 1=1; --","captcha":null,"password":"coucou"}

We think that it might be due to the fact that the body is embedded in a json.

Thank you in advance, Sincerely Yours, Cou Cou