I'm trying to configure an Amazon ALB (Application Load Balancer, not "classic" ELB) to use Web Application Firewall (WAF) to reject https requests that contain potential XSS or SQL Injection payloads.
I configured in WAF an XSS rule
- Body contains a cross-site scripting threat.
- Query string contains a cross-site scripting threat after decoding as URL.
and a SQL Injection rule
- Body contains SQL injection threat.
- Query string contains SQL injection threat after decoding as URL.
When I browse to the login form of a web application behind the ALB and submit the username
<script>danger</script>
the ALB intercepts the request as expected and returns an HTTP 403 status.
However, when I submit the username
Robert'); DROP TABLE students;--
I get an error from the web application indicating an invalid username and password, rather than the expected HTTP 403.
Why might the XSS rule work effectively, while the similarly created SQL Injection rule doesn't stop input that is a classic example of SQL injection? Do I need to set that rule up differently somehow? Any known issues applying WAF to ALB (I know the integration is very new, so I suppose there may be some bugs).
0 Answers