AWS WAF adds support for inspecting multiple request headers | Amazon Web Services

Aug 16, 2023

AWS WAF adds support for inspecting multiple request headers | Amazon Web Services

AWS WAF now supports evaluating multiple headers in the HTTP request, without the need to specify each header individually in AWS WAF rules. You can also use this new capability to easily inspect all cookies in the HTTP request, without the need to specify each cookie in WAF rules. This capability helps you protect your applications or API endpoints from attacks that try to exploit a custom header or cookie, or a common header for which you may not have created a WAF rule. You can also limit the scope of inspection to only included or excluded headers, and inspect only the keys or only the values for the headers or cookies you want to inspect.
For HTTP requests that may include more headers than WAF can inspect, you can provide oversize handling instructions when you define your rule statement. Oversize handling tells WAF what to do with a web request when the number or size of request headers is over the limits. With oversize handling, you can choose whether to continue inspection or skip inspection and mark the request as matching or not matching the WAF rule. For more information about handling oversize content, see oversize request component handling documentation.

WAF Developer Guide: https://go.aws/3KAzcSW
Announcement: https://go.aws/3AVN6L9
Oversize Request Handling: https://go.aws/3RlbSe4

Subscribe:
More AWS videos - http://bit.ly/2O3zS75
More AWS events videos - http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers — including the fastest-growing startups, largest enterprises, and leading government agencies — are using AWS to lower costs, become more agile, and innovate faster.

#AWSWAF #AWS #AmazonWebServices #CloudComputing

Content

1.068 -> - [Instructor] AWS WAF now supports

2.94 -> evaluating multiple headers in the HTTP request

6.69 -> without the need to specify each header individually

9.57 -> in the AWS WAF rules.

12.51 -> You can also use this new feature to inspect all cookies

15.54 -> in the HTTP request

17.04 -> without the need to specify each cookie in the WAF rules.

21.15 -> This capability helps you protect your applications

23.76 -> or API endpoints from attacks that try

25.92 -> to exploit a custom header or cookie

28.89 -> or a common header for which you may not have created

31.17 -> a WAF rule.

33.15 -> You can also limit the scope

34.47 -> of inspection to only included or excluded headers

37.83 -> and inspect only the keys or only the values

40.83 -> for the headers or cookies you want to inspect.

44.7 -> For HTTP requests that may include more headers

47.46 -> than WAF can inspect,

49.38 -> you can provide oversize handling instructions

51.72 -> when you define your rule statement.

54.66 -> Oversize handling tells WAF what to do with a web request

57.93 -> when the number

58.77 -> or size of request headers is over the limits.

63.005 -> With oversized handling,

64.53 -> you can choose whether to continue inspection

67.02 -> or skip inspection and mark the request as matching

69.84 -> or not matching the WAF rule.

72.9 -> There is no additional cost

74.22 -> for matching against all headers or cookie details

77.37 -> but standard service charges for AWS WAF still apply.

81.9 -> These features are available in all AWS WAF regions

85.5 -> and for each supported service

87.18 -> including Amazon CloudFront, Application Load Balancer,

91.23 -> Amazon API Gateway, and AWS AppSync.

95.49 -> For a full list of request component options

98.22 -> that are supported, see the AWS WAF Developer Guide.

103.02 -> Attacks may look different than inspected

105.09 -> and they don't always succeed.

107.22 -> Often, threat actors are guessing how

109.17 -> to compromise a request.

111.39 -> Requests should be considered malicious

113.46 -> if there is malicious content in the header or cookies,

116.4 -> even if the attack fails.

119.34 -> When making custom rules in AWS WAF,

121.92 -> you can now inspect more than a single header

124.02 -> or cookie in a single rule.

126.45 -> This allows you to identify a threat

128.25 -> even if you don't know exactly what you're looking for.

132.51 -> Because there are limits on the size

134.16 -> or the numbers of headers or cookies,

136.47 -> AWS WAF provides rule choices on how to handle a request

140.28 -> if the content exceeds the limit thresholds.

143.22 -> Now we're going to look at this new feature in action.

146.52 -> In the demo, we will send requests to a live system.

150.06 -> You will see how to configure new rules in AWS WAF

153.45 -> to block the requests when they contain

155.46 -> objectionable header content.

157.74 -> First, let's have a look at the system architecture.

160.44 -> Here we have an Application Load Balancer

162.57 -> configured to route requests to a Lambda function.

165.81 -> For demonstration purposes,

167.22 -> the Lambda function will simply respond back

169.32 -> to the requesting application

171.12 -> with the header sent in the request.

173.16 -> This will allow us to show when a request

175.14 -> was successfully routed

176.64 -> and see the content of the header sent.

179.675 -> AWS WAF will inspect the request before routing.

182.91 -> Any request blocked will send an error response back

185.73 -> to the requesting application.

187.98 -> For the beginning of the demonstration,

190.17 -> we will send through a request

191.58 -> with several headers containing SQL.

194.31 -> SQL code in headers are indicators of a malicious request.

198.72 -> I'll also include an identifiable body

201.12 -> so that we can see that the data sent is the data returned.

207.99 -> Because there are no WAF rules in place,

210.36 -> you can see that the request went through

212.85 -> and the Lambda function sent back the contents,

215.1 -> including all the headers.

217.08 -> Note that several headers are guesses

218.97 -> at possible server side variables

220.77 -> where my SQL injection could be executed.

223.62 -> As you can see, I have many versions

225.75 -> of possible user ID fields, some passwords, and item IDs.

232.38 -> Now let's look at the WAF console.

234.48 -> For this demo, I have a web ACL attached to my ALB,

240.45 -> but there are no rules.

242.37 -> Let's go ahead and create a rule

243.93 -> that will block any SQL showing up in the request headers.

248.04 -> First we'll click on Add Rules,

250.14 -> then we'll select Add My Own Rules and Rule Groups.

257.49 -> This is the Add Rule form.

259.47 -> This makes it easy to create your own custom rule

262.14 -> to block the kinds of headers we just saw.

265.89 -> First, we'll add a name.

276.54 -> Then we'll tell AWS WAF what to inspect.

280.74 -> You can see we have many options

283.02 -> but we want to inspect all headers.

289.14 -> We have the option here to inspect all parts of the header

292.41 -> or we can specify to look at just the key

295.71 -> or just the value.

297.9 -> In the Content to Inspect section,

300.12 -> you can choose to allow WAF to inspect all headers

303.24 -> or just a subset.

304.65 -> For this demo, we'll go ahead and look at them all.

310.59 -> For match type, we want to match on any header

313.56 -> that contains a SQL injection.

319.83 -> Oversize Handling is where we would tell WAF what to do

322.77 -> with requests that exceed the size or count limits.

327.39 -> We can choose to inspect just what's within these limits

330.48 -> or we can declare the request a match or not a match.

334.29 -> For now, we're going to select Continue.

337.08 -> The rule will inspect what it can,

338.88 -> ignoring any content outside the size limits.

344.76 -> The Then section tells WAF what to do

347.43 -> in case of a rule match.

349.56 -> We will leave the action as block.

353.37 -> In the custom response,

354.96 -> I want to specify a 403 response code.

359.46 -> For this demo, I will also return a custom body.

364.47 -> This is not always necessary, but for the demo,

367.29 -> it will give us an easy indicator

369.12 -> that the rule is working as expected.

376.62 -> Now that we're done, we'll go ahead and click Add Rule.

383.64 -> On this page, we set the rule priority.

386.52 -> Since it is the only rule,

388.68 -> we can go ahead and just hit save.

393.54 -> Now that the rule is applied,

395.04 -> we can go back to our demo application and see the results.

400.83 -> Now, back to the application.

403.23 -> We will send the request again.

406.23 -> I'll change the request body so

407.82 -> that we can see that the data sent is the data returned.

413.04 -> The rule worked.

414.72 -> It correctly identified the SQL code in the headers

417.54 -> and returned our custom body.

420.24 -> But what about an oversize request?

422.7 -> I'll add 200 headers to push the malicious headers

425.85 -> to the bottom of the list.

427.68 -> With the current rule,

429.18 -> the malicious headers will be invisible.

431.25 -> So when we execute this request,

433.44 -> the SQL code escapes detection

440.91 -> As you can see, the rule failed to block this request

443.91 -> because the number of headers was too large

446.25 -> and the malicious headers weren't matched to the rule.

449.97 -> So let's go back to the AWS WAF console.

453.78 -> To change our rule,

455.55 -> we're going to select it

458.64 -> and then click Edit.

464.25 -> Now back in the rule editor,

466.08 -> we'll scroll down to the Oversize Handling section

470.13 -> and change the selection.

475.65 -> We're going to select Match,

477.39 -> because for this application, any request with more

480.33 -> than 200 headers would be trying to hide malicious content.

486.27 -> Now we'll save.

492.87 -> And save.

497.52 -> And now we'll go back to the application

499.92 -> and see how that works.

502.68 -> With our rule now changed to assume a match if the number

505.65 -> of headers exceeds the limit,

507.72 -> we'll execute the request again with the 200 extra headers.

513.12 -> And now the request has been blocked.

515.4 -> When making your own rules,

516.9 -> you will have to assess what kind of oversize handling

519.75 -> would be best for your application.

522.36 -> To learn more about multi-header

524.04 -> and multi-cookie handling in AWS WAF,

527.01 -> visit the Developer Guide

528.3 -> and the feature announcement.

530.34 -> Both of these links can be found in the description

532.62 -> of this video.

534.54 -> Thank you for taking the time to watch.

536.79 -> If this content was helpful, please click the like icon.

540.87 -> Have a great day.

Source: https://www.youtube.com/watch?v=ByJLl9zXArk