detection.wiki

Detection rules › Panther

AWS WAF Has XSS Predicate

Severity
medium
Compliance
PCI 6.5.7
Tags
AWS, PCI, Initial Access:Exploit Public-Facing Application
Reference
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-xss-conditions.html
Source
github.com/panther-labs/panther-analysis

This policy validates that all WAF's have at least one rule with a predicate matching on and blocking XSS attacks.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1190 Exploit Public-Facing Application

Rule body yaml

AnalysisType: policy
Filename: aws_waf_has_xss_predicate.py
PolicyID: "AWS.WAF.HasXSSPredicate"
DisplayName: "AWS WAF Has XSS Predicate"
Enabled: false
ResourceTypes:
  - AWS.WAF.Regional.WebACL
  - AWS.WAF.WebACL
Tags:
  - AWS
  - PCI
  - Initial Access:Exploit Public-Facing Application
Reports:
  PCI:
    - 6.5.7
  MITRE ATT&CK:
    - TA0001:T1190
Severity: Medium
Description: >
  This policy validates that all WAF's have at least one rule with a predicate matching on and blocking XSS attacks.
Runbook: >
  Configure a web ACL rule with a XSS matching predicate and add it to the WAF.
Reference: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-xss-conditions.html
Tests:
  - Name: Web ACL Has XSS Predicate
    ExpectedResult: true
    Resource:
      {
        "AccountId": "123456789012",
        "Arn": "arn:aws:waf-regional:us-west-2:123456789012:webacl/1",
        "DefaultAction": { "Type": "ALLOW" },
        "Id": "1",
        "MetricName": "example-metric",
        "Name": "example-waf",
        "Region": "us-west-2",
        "ResourceId": "arn:aws:waf-regional:us-west-2:123456789012:webacl/1",
        "ResourceType": "AWS.WAF.Regional.WebACL",
        "Rules":
          [
            {
              "Action": { "Type": "BLOCK" },
              "ExcludedRules": null,
              "MetricName": "example-rule",
              "Name": "example-rule",
              "OverrideAction": null,
              "Predicates":
                [{ "DataId": "1", "Negated": false, "Type": "XssMatch" }],
              "Priority": 2,
              "RuleId": "1",
              "Type": "REGULAR",
            },
          ],
        "Tags": { "environment": "pci" },
        "TimeCreated": null,
      }
  - Name: Web ACL Does Not Have XSS Predicate
    ExpectedResult: false
    Resource:
      {
        "AccountId": "123456789012",
        "Arn": "arn:aws:waf-regional:us-west-2:123456789012:webacl/1",
        "DefaultAction": { "Type": "ALLOW" },
        "Id": "1",
        "MetricName": "example-metric",
        "Name": "example-waf",
        "Region": "us-west-2",
        "ResourceId": "arn:aws:waf-regional:us-west-2:123456789012:webacl/1",
        "ResourceType": "AWS.WAF.Regional.WebACL",
        "Rules":
          [
            {
              "Action": { "Type": "BLOCK" },
              "ExcludedRules": null,
              "MetricName": "example-rule",
              "Name": "example-rule",
              "OverrideAction": null,
              "Predicates":
                [{ "DataId": "1", "Negated": false, "Type": "NotXssMatch" }],
              "Priority": 2,
              "RuleId": "1",
              "Type": "REGULAR",
            },
          ],
        "Tags": { "environment": "pci" },
        "TimeCreated": null,
      }

Detection logic

Rule logic imperative Python

from panther_base_helpers import deep_get
def policy(resource):
    for rule in resource["Rules"] or []:
        if deep_get(rule, "Action", "Type") != "BLOCK":
            continue
        for predicate in rule["Predicates"]:
            if predicate["Type"] == "XssMatch":
                return True
    return False

The parser cannot express this rule's logic as a field filter; the imperative Python above is the detection.