-
Notifications
You must be signed in to change notification settings - Fork 0
/
waf-rule-owasp-XSS.tf
79 lines (72 loc) · 2.43 KB
/
waf-rule-owasp-XSS.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
variable "rule_owasp_xss_action" {
type = string
description = "COUNT or BLOCK, any other value will disable this rule entirely."
default = "DISABLED"
}
variable "rule_owasp_xss_priority" {
type = number
description = "The priority in which to execute this rule."
default = 50
}
variable "rule_xss_request_fields" {
type = list(string)
description = "A list of fields in the request to look for XSS attacks."
default = ["BODY", "URI", "QUERY_STRING"]
}
variable "rule_xss_request_fields_transforms" {
type = list(string)
description = "A list of text tranformations to perform on fields before looking for XSS attacks."
default = ["HTML_ENTITY_DECODE", "URL_DECODE"]
}
variable "rule_xss_request_headers" {
type = list(string)
description = "A list of headers in the request to look for XSS attacks."
default = ["cookie"]
}
variable "rule_xss_request_headers_transforms" {
type = list(string)
description = "A list of text tranformations to perform on headers before looking for XSS attacks."
default = ["HTML_ENTITY_DECODE", "URL_DECODE"]
}
locals {
# Determine if the XSS rule is enabled
is_owasp_xss_enabled = var.enabled && contains(var.enable_actions, var.rule_owasp_xss_action) ? 1 : 0
}
## OWASP Top 10 2017-A7, 2013-A3, 2010-A2, 2007-A1
## Cross-site scripting (XSS)
resource "aws_waf_rule" "owasp_xss" {
count = local.is_owasp_xss_enabled
name = "${var.waf_prefix}-xss"
metric_name = replace("${var.waf_prefix}xss", "/[^0-9A-Za-z]/", "")
predicates {
data_id = aws_waf_xss_match_set.xss_match_set[0].id
negated = false
type = "XssMatch"
}
tags = local.tags
}
resource "aws_waf_xss_match_set" "xss_match_set" {
count = local.is_owasp_xss_enabled
name = "${var.waf_prefix}-detect-xss"
dynamic "xss_match_tuples" {
iterator = request_field
for_each = setproduct(var.rule_xss_request_fields_transforms, var.rule_xss_request_fields)
content {
text_transformation = request_field.value[0]
field_to_match {
type = request_field.value[1]
}
}
}
dynamic "xss_match_tuples" {
iterator = request_header
for_each = setproduct(var.rule_xss_request_headers_transforms, var.rule_xss_request_headers)
content {
text_transformation = request_header.value[0]
field_to_match {
type = "HEADER"
data = request_header.value[1]
}
}
}
}