![]() ![]() I believe the rule is attempting to block XSS attacks containing scripts like onerror=eval(src), see The support engineer also suggested that I could attempt to whitelist inputs which have triggered this rule, which is totally impractical for any non-trivial web app. In Sept 2021, I complained to AWS Enterprise Support about this clearly broken rule and they replied "Its better to block the request when in doubt than to allow a malicious one", which I strongly disagree with. In a form with multiple inputs, any text that has " on" in it will likely trigger this rule with false positive, e.g. The rule will block any input that matches on*=* ![]() This is a known problem with the " CrossSiteScripting_BODY" WAFv2 rule provided by AWS as part of the AWSManagedRulesCommonRuleSet ruleset.
0 Comments
Leave a Reply. |