1

I my scenario SQL cookie rule being triggered but the cookies do not have anything malicious in them WAF. Could anyone please let me know why this is?

I've replicated the issue with false positive (blocked valid request) by the Rule SQLi_COOKIE from AWSManagedRulesSQLiRuleSet in my environment.

WAF logs showed:
"location":"HEADER","matchedData":["ajs_user_id","=","null",";","ajs_group_id"]}]

While testing the request the following patterns were blocked:
ajs_user_id=null;
ajs_group_id=null;

curl --cookie "ajs_group_id=null;" http://example.com
<head><title>403 Forbidden</title></head>

Basically it blocks any Key "name=null;"

Could anyone please suggest me if there is a better way to allow for these rules to be processed in the future? It seems like '=null;' is the flagging mechanism but that is very loose and not specific to SQL.

santosh baruah
  • 69
  • 6

1 Answers1

0

We just spend about 1/2 a day chasing down this same issue. This particular cookie appears to be set by Segment's Analytics.js

We're torn on if this is something Segment should prevent their script from allowing and/or something AWS's WAF rule should allow.

For the moment, we're simply removed that single sub-rule.

iDVB
  • 388
  • 2
  • 12