AWS WAF rule AWSManagedRulesCommonRuleSet does not seem to work properly

I'm currently trying to setup a Cloudfront distribution with a web ACL (WAF). I enabled the AWS managed rule called AWSManagedRulesCommonRuleSet (documentation to this rule can be found here: ).

I'm testing a Remote File Inclusion, for which I would expect my query to be blocked by the WAF. Unfortunately, my request still goes through. My query is GET , so a simple GET query to with a query parameter test=

I enabled the log for the WAF, here you can see that my query is not block, despite the RFI present.

{ "timestamp": 1697798175056, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:249461922481:global/webacl/waf-demo/ce82b689-0a46-4018-a992-80f6d03a1ca3", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "CF", "httpSourceId": "E2HC5UK2JK9WVG", "ruleGroupList": [ { "ruleGroupId": "AWS#AWSManagedRulesPHPRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesLinuxRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesUnixRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null }, { "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "customerConfig": null } ], "rateBasedRuleList": [ { "rateBasedRuleId": "arn:aws:wafv2:us-east-1:249461922481_MANAGED:global/ipset/ce82b689-0a46-4018-a992-80f6d03a1ca3_d03fd8aa-b178-4da6-9da3-1b3a6511b176_IPV4/d03fd8aa-b178-4da6-9da3-1b3a6511b176", "rateBasedRuleName": "limit", "limitKey": "IP", "maxRateAllowed": 100, "limitValue": "{redacted}" } ], "nonTerminatingMatchingRules": [], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "213.49.129.107", "country": "BE", "headers": [ { "name": "host", "value": "api.{mywebsite}.com" }, { "name": "user-agent", "value": "insomnia/8.3.0" }, { "name": "accept", "value": "*/*" }, { "name": "content-length", "value": "0" } ], "uri": "/", "args": "test=https%3A%2F%2Fraw.githubusercontent.com%2Fmarcocesarato%2FPHP-Malware-Collection%2Fmaster%2Fclassic%2Fsimattacker.php", "httpVersion": "HTTP/2.0", "httpMethod": "GET", "requestId": "45Jf2TK56hWIioDaQJgDVDFVgUVmULWq2OqRMbhmPQjXQW8lFYMNrA==" }, "ja3Fingerprint": "4ea056e63b7910cbf543f0c095064dfe" } 

Could you help me understand what happens ? Thanks

Related questions 1222 How does the SQL injection from the "Bobby Tables" XKCD comic work? 0 AWS WAF with cloudfront 0 Cloudfront distribution does not enforce TLS settings for Gateway API Related questions 1222 How does the SQL injection from the "Bobby Tables" XKCD comic work? 0 AWS WAF with cloudfront 0 Cloudfront distribution does not enforce TLS settings for Gateway API 355 How does Content Security Policy (CSP) work? 0 Turning on AWS WAF geolocation restriction 0 How do recent updates on AWS WAF Managed Core Rule Set work Load 3 more related questions Show fewer related questions

Reset to default

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like