• caglararli@hotmail.com
  • 05386281520

How dangerous is disabling PHPHighRiskMethodsVariables_BODY from the AWS ACLs?

Çağlar Arlı      -    59 Views

How dangerous is disabling PHPHighRiskMethodsVariables_BODY from the AWS ACLs?

Problem

Users in my application are being blocked (by the AWS WAF) from uploading files with certain names. In the specific case I am trying to solve, the problematic string is .* System (.*).*.

Background

The block is coming from the PHPHighRiskMethodsVariables_BODY rule that is a default inside AWS-AWSManagedRulesPHPRuleSet. Based on information found in the AWS docs - here - the check looks for PHP injection, and automatically blocks anything it detects.

Current solution

I have tested a fix where I label these requests and block all labeled requests NOT from my whitelisted file uploader. That being said, I am reticent to deploy, as I have no understanding of the risk vector I am exposing the product to.

Help sought

With that information, I am hoping to get some insight as to how much work PHPHighRiskMethodsVariables_BODY is actually doing for me. If it is a big attack vector, it would be foolish to weaken the WAF, and maybe I should instead provide some generic error message of "please try renaming your file". I could also add an additional check to my current solution that only allows problematic requests that have the exact regex pattern I called out in the problem (with even more specificity). That being said, without an understanding of all the banned words, I'll be playing whack-a-mole with the whitelist.

Any help or additional reading would be appreciated!