Preventing Web Application from Cross-Site-Scripting using AWS WAF

Introduction

AWS WAF is a web application firewall that helps you monitor web requests forwarded to Amazon CloudFront distributions or an Application Load Balancer. We can also use AWS WAF to allow or block requests based on conditions you specify, like IP addresses that requests originate from or values in the requests.

Prerequisites

• AWS Account

Step-by-Step Guide

Step 1 – Create a Web Application

1. Log in to your AWS Account
2. Deploy simple application on Amazon EC2 instance, which is susceptible to the XSS attack.

Step 2 – Create Application LoadBalancer

1. Go to the Load balancer console and click “Create Application Load balancer”.
2. Provide the relevant information below:

• Load Balancer Name: XSS-LoadBalancer
• Scheme: Internet Facing
• IP address type: IPv4
• VPC: Same as of XSS Application
• Mapping: Select at least two AZs
• Security groups: Create a new one with Port 80 and 443 enabled for anywhere and add additional ports based on your application stack requirement
• Listeners and routing: Create a target group, add your EC2 instance to that target group, and leave other options as it is.

3. Keep the rest of the option as default, and in the last click on “Create load balancer”

4. Now hit the load balancer DNS once it’s up and tested successfully. Proceed to the next section.

Step 3 – Create WAF Web ACL and Associate LoadBalancer

1. Now go to WAF service from the AWS console to protect your application from WAF and click on “Create web ACL”
2. Now the Describe Web ACL and associate it to AWS resources section appears and provide the Web ACL details as shown below:

• Name: XSS-WAF
• Description: XSS-WAF
• CloudWatch metric name: XSS-WAF
• Region: Same as of LoadBalancer
• Resource Type: Regional Resources

3. Under the Associated AWS resources section, click on “Add AWS resources”.

4. And add the newly created XSS-LoadBalancer created in the previous section and the last click on Next

5. Now under Add rules and rule groups, click on” Add managed rule groups” expand the “AWS managed rule groups” section, and enable the core rule set and in last click on Add Rule, and after that in the last click on Next

6. Under the “Set rule priority” section, click Next, as we have only one rule for now.

7. In Configure metrics section, keep all the options as default, and at the bottom, click on Next

8. In the last section, review all the settings, and after that in the last click on Create Web ACL

9. When you click on a newly created web ACL, it will show you which rule it matches. It collects a lot of metrics from CloudWatch

10. Now go to LoadBalancer DNS and add the script string to check the exploit. Now you will get 403 Forbidden error because web ACL found that there is some XSS attack

11. Now go to WAF overview, and under “Sampled requests” you will get the details that you are going to execute this URI, and it detected as XSS as shown below Screenshot

Conclusion

You can use AWS WAF for various processes, like matching actual strings, regex patterns, SQL, etc. If you can protect your application from XSS attack using the above steps, you have successfully created the AWS WAF rule with the required inputs. It lets you monitor the HTTP and HTTPS requests forwarded to your web application resources.

About CloudThat