I am encountering an issue with AWS WAF's AWSManagedRulesCommonRuleSet where it appears to be blocking requests with application/xml in the body, treating them as XSS attacks.
Specifically, when the request includes <?xml version="1.0" encoding="UTF-8"?>, the entire request gets flagged and a 403 Forbidden response is sent to the client. WAF logs:
"terminatingRuleMatchDetails": [
{
"conditionType": "XSS",
"location": "BODY",
"matchedData": [
"<?",
"xml"
],
"matchedFieldName": ""
}
],
"ruleGroupList": [
{
"ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
"terminatingRule": {
"ruleId": "CrossSiteScripting_BODY",
"action": "BLOCK",
"ruleMatchDetails": null
},
}
]
I know that whitelisting XML requests in the WAF is an option, but I am looking for a solution that doesn't ignore the whole XML request's body. Is there a way to configure AWSManagedRulesCommonRuleSet to accurately detect and block XSS attacks without mistakenly flagging legitimate XML requests?
Also, any other recommendations for both paid and free WAFs or rulesets that offer comprehensive support for XML and are suitable for non-commercial users?