AWS WAF Getting 403 forbidden error while trying to upload an image

Question

We have enabled AWS WAF solution before my ALB and have SQL injection and XSS detection enabled. We have tried to setup a custom rule to check if the content-type is multipart/form-data* using regex.

We have set that custom rule with higher priority. When using the custom rule the images are uploaded but the script tags are not forbidden. Without having the custom rule if we try uploading the images one particular image alone is not getting uploaded and throws 403 forbidden.

Any hints on adding XSS and custom rule to allow image uploads?

score 10 · Answer 1 · answered Feb 22 '21 at 16:35

Check your image metadata. I recently encountered this issue, and was getting the "GenericRFI_BODY" error in the ACL logs. It turns out the test image I was uploading had an illegal path in its exif data. There was a URL that pointed to the site where the image came from in some metadata field, and the "://" pattern in that URL was triggering the rule. Stripping the metadata from the image allowed it to upload.

I strongly discourage base64 encoding to circumvent firewall rules. This will bloat the size of your files, and multipart/form-data exists specifically to stream large binaries back and forth from client to server - not to post massive serialized text blocks.

Here's the RFC: https://www.ietf.org/rfc/rfc2388.txt

This is likely the proper answer. – Marc LaBelle Apr 25 '23 at 18:18 — Marc LaBelle, Apr 25 '23 at 18:18

score 6 · Answer 2 · answered Jan 14 '21 at 10:31

6

Goto your Web ACL and click on edit AWS-AWSManagedRulesCommonRuleSet and make Override rules action to True for rule SizeRestrictions_BODY

answered Jan 14 '21 at 10:31

Mansoor Rahman

85
2

2

This approach definitely doesn't solve the problem. This is a bypass check that the WAF does. – rios0rios0 Feb 17 '21 at 19:26

score 3 · Accepted Answer · answered Nov 20 '20 at 07:15

3

I faced 403 issue in AWS firewall when I try to add image as multipart/form-data.

Some of the WAF rules which blocks the image upload are, AWS#AWSManagedRulesSQLiRuleSet#GenericRFI_BODY, AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY and AWS#AWSManagedRulesCommonRuleSet#CrossSiteScripting_BODY.

I solved this issue by uploading the image as base64 string instead of uploading as multipart/form-data.

answered Nov 20 '20 at 07:15

Boopathi N

298
2
4
16

I'm facing the same issue while uploading images to s3 via a PHP form submission. I'm using the default WAF rule script provided by AWS https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/template.html. Let me check with the developer regarding the image upload encryption. – bibincatchme Dec 05 '20 at 17:25
It's a pretty good approach. But you'll have problems with SizeBody of the same set of rules on WAF. – rios0rios0 Feb 17 '21 at 19:27
Uploading as base64 is, in general, not a great idea. It makes the request bigger and multipart/form-data is specifically for situations like this. – Marc LaBelle Apr 25 '23 at 18:16

score 0 · Answer 4 · answered Feb 15 '23 at 16:48

In my case this was due to the following WAF rule:

ruleGroupList.0.ruleGroupId             AWS#AWSManagedRulesCommonRuleSet
ruleGroupList.0.terminatingRule.ruleId  SizeRestrictions_BODY

And I solved the problem by overriding the default rule action from BLOCK to CHALLENGE

score 0 · Answer 5 · answered Jul 11 '23 at 11:31

I was getting a 403 Forbidden error when trying to upload files as multipart/form-data and I solved it by following the instructions on this aws article Basically you need to add a new WAF rule with a higher priority than the one that is blocking you (in my case it was SizeRestrictions_BODY)

score 0 · Answer 6 · answered Jul 27 '23 at 06:11

0

Solved my issue Goto your Web ACL and click on edit AWS-AWSManagedRulesCommonRuleSet and make Override rules action to True for rule SizeRestrictions_BODY

answered Jul 27 '23 at 06:11

Mushtaq Hussain Naikoo

1
2

AWS WAF Getting 403 forbidden error while trying to upload an image

6 Answers6