Custom Rules

Introduction

WAF allows you to create your own rules for handling requests. This is useful for adding logic relevant for your specific application. Alongside custom rules, this section will introduce request sampling and Web ACL Capacity Units.

Custom Rules.

The simplest way to create a custom rule is to use the Editor in the WAF Console.

Add a custom rule

Rules allow you to inspect components of a the HTTP request such as:

  • Source IP
  • Headers
  • Body
  • URI
  • Query Parameters

Based on the component inspected, you can block or allow a request.

Request Sampling

WAF allows you to view a sample of requests that it has processed. Do this from your Web ACL dashboard

Example of Sampled Requests

This is useful for quick debugging to see what requests have been received and how they were handled.

It’s also possible to log all requests your Web ACL receives. This will be introduced later

Web ACL Capacity Units

You may have noticed WCU or Web ACL Capacity Unit when creating implementing the two managed rules. WAF uses WCU to calculate the operating cost of a rule. Simple rules use less WCU than more complex rules.

Your web ACL has a maxiumum WCU of 1500. This can be increased by contacting AWS Support.

More about WCU

Challenge

Just as you thought you had solved your milkshake fiasco, more malicious requests are targeting your application. The attacks have become more specific. You realise you can block these attacks with a custom rule for your WAF Web ACL.
All of the attacks seem to contain a strange header, X-TomatoAttack. Blocking requests with that header will stop the attack

Create a rule on your Web ACL that blocks requests with the header X-TomatoAttack with ANY value.

Use the test case below to check if your rule is working!

Hint

Select to see a hint

Test Case

This test case will send a request your test application. If the WAF rule is working, your request should be blocked. You will receive a 403 response like below

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>ERROR: The request could not be satisfied</title>
  </head>
  <body>
    <h1>403 ERROR</h1>
    <!-- Omitted -->
  </body>
</html>

Run the command below in your terminal.

# Set the JUICESHOP_URL variable if not already done
# JUICESHOP_URL=<Your Juice Shop URL>

# This should be blocked
curl -H "X-TomatoAttack: Red" "${JUICESHOP_URL}"
# This should be blocked
curl -H "X-TomatoAttack: Green" "${JUICESHOP_URL}"

Check your WebACL overview to see the sampled requests. You should see these requests marked as BLOCK.

Answer

Select to see the answer

Conclusion

Phew, it seems like your custom rule worked.

Custom rules allow you to implement your own logic for handling requests in WAF. Custom rules can inspect many components of a request, then act to block or allow a request if the rule statement is true.

Every Web ACL has a maxiumum Web ACL Capacity Units (WCU). This is 1500, but can be increased if needed. Every rule and rule group in a Web ACL contributes towards this limit.