AWS F5 Managed WAF rules not blocking the vulnerabilities

Question

We have subscribed to the AWS Managed WAF rules in our AWS instance and attached with to a WEB ACL and ALB for testing . The default condition for the Rule Set is configured to block and we tried injected few sample OWASP sample blocks for SQL and XSS but the WAF rule set is not blocking them and bypassing to the default action of the WEB ACL to allow .Following are the signature sets subscribed and tried (F5 Rules for AWSWAF—Web exploits OWASP Rules and Common Vulnerabilities and Exposures (CVE) ). Has any one tried this and succeeded . Any input is appreciated

avalanchee · Answer

Giridharan,
Thank you for your feedback and interest in the AWSWAF F5 Rules product.&nbsp;
We are routinely working to improve the F5 Rules product to fix coverage issues. Please feel free to provide any further details regarding the sample OWASP SQL/XSS you used.&nbsp;
Please note that the AWS Managed WAF solution only provides coverage against common and simple attack vectors, and is not meant to replace a state of the art WAF solution.&nbsp;

nir_zigler_7297 · Answer

Giridharan,
Thank you for your feedback and interest in the AWSWAF F5 Rules product.&nbsp;
We are routinely working to improve the F5 Rules product to fix coverage issues. Please feel free to provide any further details regarding the sample OWASP SQL/XSS you used.&nbsp;
Please note that the AWS Managed WAF solution only provides coverage against common and simple attack vectors, and is not meant to replace a state of the art WAF solution.&nbsp;

giridharan_2650 · Answer

Nir Zigler, Thanks for your response .
Test cases in the following OWASP link were tried against the managed WAF rules and it was not getting blocked (https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)) . Do we have any reference to the attack patterns that the rule set covers &nbsp;

giridharan_2650 · Answer

Nir Zigler, Thanks for your response .
Test cases in the following OWASP link were tried against the managed WAF rules and it was not getting blocked (https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)) . Do we have any reference to the attack patterns that the rule set covers &nbsp;

Forum Discussion

AWS F5 Managed WAF rules not blocking the vulnerabilities

4 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection

Traffic Management User Interface Vulnerability: The Fix and Temporary Mitigation Options

Zero Trust building blocks - F5 BIG-IP Access Policy Manager (APM) and PingIdentity

Minimizing Security Complexity: Managing Distributed WAF Policies