Over the last couple of weeks, I’ve had to tweak AWS WAF as per requirements. I’ve found the following curl commands very useful in quickly assessing whether the WAF rules are working as expected or not.
Testing Cross Site Scripting (XSS)
curl -X POST -i --data '<script>alert(/XSS/)</script>' https://example.com/uri
An endpoint that returns a 403 with the above POST request but returns
something else (like 200) without the POST parameter means the WAF is
protecting against XSS attacks.
A cool trick to bypass the XSS filtering of AWSManagedRulesCommonRuleSet:
base64 encode the payload.
Testing body size restrictions
The AWSManagedCommonRuleSet blocks oversized requests (anything over 8,192
kB). You can test whether the rule is working as expected or not using:
curl -X POST -H "Content-Type: application/octet-stream" -d "$(head -c 10000 /dev/urandom | base64) https://example.com/uri
This request should return a 403 if the firewall is implementing size
restrictions. If you can spot a URI that doesn’t return a 403 there are
chances that the particular URI has been exempted from size restrictions.
Testing response to user agent rules
No user agent
curl -H 'User-agent:' https://example.com/uri
Mac user agent
curl -H 'User-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15' https://example.com/uri
Chrome on Windows user agent
curl -H 'User-agent:'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 https://example.com/uri
You can find a comprehensive listing of user agents on useragentstring.com