AWS WAF SQLi False Positive Demo

📤 File Upload Test

Upload a PDF document below. The request goes through CloudFront where AWS WAF inspects the body. The AWSManagedRulesSQLiRuleSet will flag the PDF's binary content as a SQL injection attempt.

📄

Drop a PDF here or click to browse

PDF files only, max 5MB

What to expect: The upload will return a 403 Forbidden error. This is the WAF blocking the request because it thinks the PDF binary content is a SQL injection attack. Check the Problem tab to understand why.

Apply the Fix

Toggle the scope-down statement on the WAF. When enabled, the SQLi rule skips inspection on the upload endpoint.

Status: Blocked (no fix applied)

🔎 Problem Summary

When a PDF is uploaded via a multipart form POST, AWS WAF's AWSManagedRulesSQLiRuleSet inspects the request body and encounters:

The multipart boundary string (WebKitFormBoundary...)
Content-Disposition headers
The PDF's raw binary content

Certain byte sequences in the PDF's internal streams and metadata coincidentally match SQL injection signatures, causing the WAF to flag the request as SQL_INJECTION in the BODY.

WAF Log Findings

Field	Value
Terminating Rule	AWSManagedRulesSQLiRuleSet
Rule Inside Group	SQLi_BODY
Action	BLOCK
Matched Condition	SQL_INJECTION in BODY

Why Optimizing the PDF Sometimes Helps

Reducing or restructuring the PDF removes or reorganizes internal binary streams and metadata that happen to match SQL injection byte patterns. However, this is not a reliable fix — different PDFs contain different byte sequences and may still trigger the rule.

⚠ This is a known false positive — not an actual SQL injection attempt. The binary content of the PDF is being misinterpreted by the WAF's pattern matching engine.

🛠 Solution Overview

Add a scope-down statement to the AWSManagedRulesSQLiRuleSet rule group that excludes the file upload endpoint from SQLi body inspection.

Why Scope-Down Statement?

Approach	Pros	Cons
Scope-Down Statement ✅	Most targeted fix. SQLi rules still protect all other endpoints.	Slightly more complex to configure
Count Mode Override	Easy to set up	Reduces protection — SQLi_BODY won't block anywhere
Allow Rule for URI	Simple	Skips ALL WAF rules for that path, not just SQLi

What the Scope-Down Statement Does

It tells WAF: "Apply the SQLi rules to all requests EXCEPT those matching the upload endpoint URI."

{
  "ScopeDownStatement": {
    "NotStatement": {
      "Statement": {
        "ByteMatchStatement": {
          "SearchString": "/api/file-management",
          "FieldToMatch": { "UriPath": {} },
          "PositionalConstraint": "STARTS_WITH",
          "TextTransformations": [
            { "Priority": 0, "Type": "NONE" }
          ]
        }
      }
    }
  }
}

🔒 Security Tradeoff: The upload endpoint will no longer be inspected for SQL injection. Ensure your application has proper file type validation, size limits, and content scanning on that endpoint.

📝 Step-by-Step: Adding the Scope-Down Statement

Prerequisites

AWS Console access with WAF permissions
Know your Web ACL name and region (for this demo: waf-sqli-demo, CLOUDFRONT / us-east-1)
WAF logging enabled for post-change monitoring

Console Steps

1. Open the AWS WAF Console → Web ACLs → Select waf-sqli-demo

2. Click the Rules tab

3. Select AWSManagedRulesSQLiRuleSet → Click Edit

4. Scroll down to Scope-down statement → Toggle it ON

5. Configure the statement:

If a request: doesn't match the statement (NOT)
Inspect: URI path
Match type: Starts with string
String to match: /api/file-management
Text transformation: None

6. Click Save rule

7. Click Save on the Web ACL

After saving, go back to the Upload Test tab and try uploading the PDF again. It should succeed this time.

✅ Verification & Testing

Test 1: Upload a Previously Blocked PDF

Go to the Upload Test tab and upload the same PDF that was blocked. It should now return a 200 OK with a success message.

Test 2: Verify SQLi Protection on Other Endpoints

Try accessing the site with a SQL injection payload in the URL:

https://waf-lab.rohan.aws-info.net/?id=1' OR '1'='1

This should still be blocked by the WAF — confirming SQLi protection is active everywhere except the upload endpoint.

Test 3: Check WAF Logs

In the WAF Console → Web ACL → Sampled requests, verify:

Upload requests are now ALLOWED
SQLi test payloads on other paths are still BLOCKED

⏪ Rollback Procedure

If something goes wrong, here's how to revert:

1. Open AWS WAF Console → Web ACLs → waf-sqli-demo

2. Click Rules tab → Select AWSManagedRulesSQLiRuleSet → Edit

3. Toggle Scope-down statement to OFF

4. Save rule → Save Web ACL

This restores full SQLi inspection on all endpoints, including the upload path.

Tear Down the Entire Demo

aws s3 rm s3://waf-lab-uploads-rohan --recursive
aws cloudformation delete-stack --stack-name waf-sqli-demo --region us-east-1

🛡 AWS WAF SQLi False Positive Resolution Guide

📤 File Upload Test

Apply the Fix

🔎 Problem Summary

WAF Log Findings

Why Optimizing the PDF Sometimes Helps

🛠 Solution Overview

Why Scope-Down Statement?

What the Scope-Down Statement Does

📝 Step-by-Step: Adding the Scope-Down Statement

Prerequisites

Console Steps

✅ Verification & Testing

Test 1: Upload a Previously Blocked PDF

Test 2: Verify SQLi Protection on Other Endpoints

Test 3: Check WAF Logs

⏪ Rollback Procedure

Tear Down the Entire Demo