Waf Charm

Blog

Follow us

AWS WAF, WafCharm

How to specify keys and values of JSON format request body to match on AWS WAF

This post was originally written in Japanese in the past.

Table of Contents

  1. 1. Introduction
  2. 2. How to use the feature
  3. 3. Configuration details with an example
  4. 4. Example usages
  5. 5. Caveat
  6. 6. Limitations on WafCharm
  7. 7. Conclusion

1. Introduction

On February 12th, 2021, a feature to specify keys and values of JSON content in a request body (referred to as JSON parser feature further on) was released in AWS WAF.
You could only inspect a whole request body until this release, but you can now specify and narrow down what to inspect, which could lessen unnecessary matches, further improving the accuracy.
In this post, we will take a look at configuration and usage examples.

*This feature is not available in AWS WAF Classic.

2. How to use the feature

Create a rule in the AWS management console.

Choose from “Plain text” or “JSON” for a content type by selecting “Body” under the “Inspect” field, so select the “JSON” option.

After selecting “JSON” for the content type, there will be more details shown to specify. Let’s take a look at them.

Item Description
JSON match scope Select keys, values, or both (All) in this item.
How AWS WAF should handle the request if the JSON in the request body is invalid Select the behavior when data did not match JSON format.

  • None: evaluate up to where AWS WAF can
  • Evaluate as plain text: transform to plain text and evaluate
  • Match: evaluate the request as matching the rule and take an action (Block, Count, or Allow)
  • No match: evaluate as not matching to the rule
Content to inspect
  • Full JSON content: all elements in the JSON content
  • Only included elements: elements that are only specified

There will be an input field if you select Only included elements. Specify content to inspect in the JSON Pointer syntax.

This is all for the configuration procedure. We will show an example for better understanding.

3. Configuration details with an example

We will look at an example JSON below for each configuration. 

````
{
    "user": {
        "name": "Person Doe",
        "data": {
            "job": [
                {
                    "role": "Engineers",
                    "position": "manager"
                }
            ]
        }
    }
}
````

When separated into keys and values, it would look like the below.

keys user, name, data, job, role, position
values Person Doe, Engineers, manager

If JSON match scope is set to All, both keys and values will be inspected. By selecting Keys or Values, inspected content can be narrowed down to either of them.

As another example, when the Content to inspect is limited, the values listed below will be inspected.

Content to inspect JSON match scope Inspected contents
/user/data ALL job, role, Engineers, position, manager
/user/data keys job, role, position
/user/data values Engineers, manager
/user/data/job/0 ALL role, Engineers, position, manager
/user/data/job/0 keys role, position
/user/data/job/0 values Engineers, manager

JSON Pointer is defined by RFC6901.
Specify keys for associative array {} and specify placement for array [].

Reference:
https://tools.ietf.org/html/rfc6901

4. Example usages

Change the setting to only inspect values By limiting the content to inspect to inputs from clients, you could reduce the possibilities of false positives.
Only target to inspect where JSON structures change based on user input By limiting the content to inspect, you could reduce the possibilities of false positives.
Exclude text input that accepts relatively free content from content to inspect You could reduce the possibilities of false positives that could occur in relatively free text input
*With increased scopes, higher WCU might be required.
*This has to be edited in JSON editor.
Narrowing down the conditions of existing rules You can narrow down the conditions of rules by combining JSON parser features’ conditions and existing rules using AND conditon

Narrowing down to reduce false positives is beneficial if the content that does not get inspected is controlled and only accepts expected values. Use these methods after you’ve ensured that appropriate validation is provided.

5. Caveat

  • AWS WAF request size limitations

    AWS WAF can only inspect the first 8 KB (8,192 bytes) of the request body. In some cases, you have to combine rules to inspect based on request sizes.

  • High cost

    By using the JSON parser feature, usage of WCU increases to double the amount. It might be more cost-effective to implement methods to counter false positives by excluding certain URI paths than to exclude certain information in a specific JSON.

6. Limitations on WafCharm

Customization using the JSON parser feature is available.
Please refer to the AWS WAF document's JSON body section before requesting a customization.

You can add the rule as your own rule as well.

7. Conclusion

This feature can only be used for JSON format data, but it is useful to avoid false positives because you can narrow down the content to inspect.
However, having content not to inspect does pose security risks; ensure that your application has implemented a way to avoid unexpected value from being entered in a place you are excluding.

Back to list

Popular Post