'AWS WAF XSS check blocking form with "ON" keyword in form field value

Posting a form with " on" or any word starting with "on" as last word in a form field resulting in an XSS block from aws waf blocked by this rule Body contains a cross-site scripting threat after decoding as URL e.g. "twenty only" or " online" or "check on" all results in XSS block

These seems to be normal words, why it's getting blocked for xss?

but with whitespace at the end it doesn't block e.g. "twenty only " or " online " or "check on " these works

xssamazon-waf


Solution 1:[1]

Just flagging up we got started with WAF last night, and overnight a few dozen legitimate requests were blocked.

Surely enough, each XSS rule had the string "on" in the request body, followed by other characters.

I wonder if it was trying to detect the hundred or so onerror, onload and other javascript events? Feels like it could have been a lot more specific than matching on followed by "some stuff"...

Only solution here seems to be disable this rule for us - it's going to be a constant source of false positives for us otherwise, which makes it worthless.

Solution 2:[2]

This is a known problem with the "CrossSiteScripting_BODY" WAFv2 rule provided by AWS as part of the AWSManagedRulesCommonRuleSet ruleset. The rule will block any input that matches on*=*

In a form with multiple inputs, any text that has " on" in it will likely trigger this rule with false positive, e.g. a=three two one&b=something else

In Sept 2021, I complained to AWS Enterprise Support about this clearly broken rule and they replied "Its better to block the request when in doubt than to allow a malicious one", which I strongly disagree with. The support engineer also suggested that I could attempt to whitelist inputs which have triggered this rule, which is totally impractical for any non-trivial web app.

I believe the rule is attempting to block XSS attacks containing scripts like onerror=eval(src), see https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#waf-bypass-strings-for-xss

I would recommend excluding all the black box CrossSiteScripting rules from your WAF, as they are not fit for purpose.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Phantomwhale
Solution 2

Related Questions

Why can't Mozilla observatory detect the http security headers on my website anymore?

XSS - Javascript String

XSS attack still works despite htmlspecialchars() doing its work

Apache Rewrite Condition for Query String

Replace HTML code with code from another page

Module not found: Error: Can't resolve 'trusted-types' in '' angular

How to use AWS WAF to block certain URLs

AWS SAM - AWS::WAFv2::WebACLAssociation - AWS WAF couldn?t perform the operation because your resource doesn?t exist

When using Terraform with AWS, how can I set a rate limit on a specific URI path (or regex of a URI path) on an ALB

AWS::WAFv2::WebACLAssociation ResourceArn for Application Load Balancer in CloudFormation

Terraform aws_wafv2_ip_set delete ip on apply

Terraform aws_wafv2_ip_set delete ip on apply

error updating CloudFront Distribution (E32RNPFGEUHQ6J): InvalidWebACLId: Web ACL is not accessible by the requester