AWS Web Application Firewall (WAF) Text Rule Transformations Explained

Posted by Ben Potter on Thursday, July 1, 2021

Contents

Amazon Web Services (AWS) Web Application Firewall (WAF) is a powerful and customizable service that can help protect your web applications from many different attack when configured correctly. AWS WAF works with Amazon CloudFront to protect your web apps hosted in the content delivery network (CDN), or Elastic Load Balancer. I’m going to explain what text rule transformations are, as AWS WAF recently announced 15 new text transformations.

What is a text transformation?

In AWS WAF a text transformation is used to reformat a request that is inspected as attackers commonly try to evade rules by reformatting requests. For example if you had a rule that blocked a specific request only with a lowercase string, and the attacker used uppercase, your rule would not block. The reformatting takes place on a request component that specifies the part of a web request for AWS WAF to inspect. You specify this for standard rule statements that look for patterns inside the web request. These include regex pattern match, SQL injection attack, and size constraint statements. Before the new transformations were added, you would need to create many conditions to match all possible scenarios, and even then it was not possible (e.g. MD5 hash calculation).

Options for text transformations

The following options are now available for text transformations;

Base64 decode - AWS WAF decodes a Base64-encoded string.

Base64 decode ext - AWS WAF decodes a Base64-encoded string, but uses a forgiving implementation that ignores characters that aren’t valid.

Command line - This option mitigates situations where attackers might be injecting an operating system command line command and are using unusual formatting to disguise some or all of the command.

Use this option to perform the following transformations:

  • Delete the following characters: \ " ' ^
  • Delete spaces before the following characters: / (
  • Replace the following characters with a space: , ;
  • Replace multiple spaces with one space
  • Convert uppercase letters, A-Z, to lowercase, a-z
  • Compress white space

Compress white space - AWS WAF replaces multiple spaces with one space and replaces the following characters with a space character (decimal 32):

  • \f, formfeed, decimal 12
  • \t, tab, decimal 9
  • \n, newline, decimal 10
  • \r, carriage return, decimal 13
  • \v, vertical tab, decimal 11
  • non-breaking space, decimal 160

CSS decode - AWS WAF decodes characters that were encoded using CSS 2.x escape rules syndata.html#characters. This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn’t typically be encoded. It’s also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, ja\vascript for javascript.

Escape sequence decode - AWS WAF decodes the following ANSI C escape sequences: \a, \b, \f, \n, \r, \t, \v, \, ?, ', ", \xHH (hexadecimal), \0OOO (octal). Encodings that aren’t valid remain in the output.

Hex decode - AWS WAF decodes a string of hexadecimal characters into a binary.

HTML entity decode - AWS WAF replaces HTML-encoded characters with unencoded characters:

  • Replaces " with "
  • Replaces   with a non-breaking space, decimal 160
  • Replaces < with <
  • Replaces > with >
  • Replaces characters that are represented in hexadecimal format, &#xhhhh;, with the corresponding characters
  • Replaces characters that are represented in decimal format, &#nnnn;, with the corresponding characters

JS decode - AWS WAF decodes JavaScript escape sequences. If a \uHHHH code is in the full-width ASCII code range of FF01-FF5E, then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.

Lowercase - AWS WAF converts uppercase letters (A-Z) to lowercase (a-z).

MD5 - AWS WAF calculates an MD5 hash from the data in the input. The computed hash is in a raw binary form.

None - AWS WAF inspects the web request as received, without any text transformations.

Normalize path - AWS WAF removes multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.

Normalize path win - AWS WAF processes this like NORMALIZE_PATH, but first converts backslash characters to forward slashes.

Remove nulls - AWS WAF removes all NULL bytes from the input.

Replace comments - AWS WAF replaces each occurrence of a C-style comment (/* … */) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment (*/) is not acted upon.

Replace nulls - AWS WAF replaces NULL bytes in the input with space characters (ASCII 0x20).

SQL hex decode - AWS WAF decodes SQL hex data. For example, (0x414243) is decoded to (ABC).

URL decode - AWS WAF decodes a URL-encoded value.

URL decode uni - Like URL_DECODE, but with support for Microsoft-specific %u encoding. If the code is in the full-width ASCII code range of FF01-FF5E, the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.

UTF8 to Unicode - AWS WAF converts all UTF-8 character sequences to Unicode. This helps input normalization, and minimizes false-positives and false-negatives for non-English languages.

Further reading:
AWS WAF Documentation
AWS Well-Architected Security Pillar
Official Security Best Practices for Amazon S3