F5 Web Application CVE Signatures For AWS WAF - FALSE POSITIVE
I am using AWS and implemented the “F5 Web Application CVE Signatures For AWS WAF” manage rule from AWS marketplace.
I am copying the sample request that is false positive from the AWS WAF console.
201.218.201.171 /course/modedit.php F5 Web Application CVE Signatures For AWS WAF Block 14:49:50 Client information: Source IP: 201.218.201.171 Country: PA Rule within rule group: 659aaaee-c124-460c-a775-22927af70a2f Request line: Method: POST URI: /course/modedit.php Request headers: Host: cursos.campusvirtualsp.org Content-Length: 2678 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 accept-language: es,en-US;q=0.7,en;q=0.3 accept-encoding: gzip, deflate, br referer: https://cursos.campusvirtualsp.org/course/modedit.php?update=34464&return=1 content-type: application/x-www-form-urlencoded upgrade-insecure-requests: 1 cookie: TinyMCE_toggle=id_config_text%3D0; _ga=GA1.2.1480395476.1554154100; _gid=GA1.2.2045071368.1554154100; SSESS03d1962463878d637285620850f8c2c7=7F0Y5UmL3_e2dNRJylnLULV1W1s0c7HQUBYJjTFZuG4; MoodleSession=3pghhd5stbsjo3sqh38grunal1; _gat=1
201.218.201.171 /course/modedit.php F5 Web Application CVE Signatures For AWS WAF Block 14:50:46 Client information: Source IP: 201.218.201.171 Country: PA Rule within rule group: 659aaaee-c124-460c-a775-22927af70a2f Request line: Method: POST URI: /course/modedit.php Request headers: Host: cursos.campusvirtualsp.org Content-Length: 2689 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 accept-language: es,en-US;q=0.7,en;q=0.3 accept-encoding: gzip, deflate, br referer: https://cursos.campusvirtualsp.org/course/modedit.php?update=34480&return=1 content-type: application/x-www-form-urlencoded upgrade-insecure-requests: 1 cookie: TinyMCE_toggle=id_config_text%3D0; _ga=GA1.2.1480395476.1554154100; _gid=GA1.2.2045071368.1554154100; SSESS03d1962463878d637285620850f8c2c7=7F0Y5UmL3_e2dNRJylnLULV1W1s0c7HQUBYJjTFZuG4; MoodleSession=3pghhd5stbsjo3sqh38grunal1; _gat=1
The rule block me when I tried to update a course configuration in Moodle. Bellow, I am sharing a web form where the rule is blocking.