Regarding 1-click tool which will be available by early December:All the new features are only supported in WAFv2. If there are any non-compliant WAFv2 WebACLs then customers should be able to see this in their WAF console :
In AWS WAF, only the first 8KB ( i.e. bytes 1 through 8,192 bytes ) of the body content is inspected. The remaining content beyond 8,192 bytes isn't inspected by default. This is a hard service limit and can't be changed.That means that any malicious payload that starts after the 8,192nd byte in a POST request will completely bypass AWS WAF unless you’ve explicitly added a rule to block any POST request greater than 8KB in size. Since inspection limit is within first 8KB, AWS relayed the decision to the customers for the way these oversized requests to be handled.
The 'Continue' as an option within the oversize handling states that: If any request is oversized against the WAF’s inspection size limit, then that oversized payload ( payload content after 8,192 bytes ) will be ignored and AWS WAF will inspect the request components that are within the size limitations ( payload content from byte 1 through 8,192 bytes ) and the rule action will take place.
For example,
if you want to allow the request if the body contains ‘hello’ and you don't want the oversized contents ( after 8,192 bytes ) to be inspected, you can use ‘Continue’ as the oversize handling behavior as below:
* Action : ALLOW * Statement : ByteMatch * FTM : Body * Contains : “hello” * OversizeHandling : CONTINUE
Here, WAF inspects bytes 1 through 8,192 bytes of the body content and the rule action ‘ALLOW’ takes place if the request contains the string 'hello', even if the request content crosses the WAF size limit ( > 8,192 bytes )
For example,2) If you want to block the request if the body contains ‘hello’ and you don't want the oversized contents ( > 8,192 bytes ) to be inspected, you can use ‘Continue’ as the oversize handling behavior as below:
* Action : BLOCK * Statement : ByteMatch * FTM : Body * Contains : “hello” * OversizeHandling : CONTINUEHere, WAF inspects bytes 1 through 8,192 bytes of the body content and the rule action ‘BLOCK’ takes place if the request contains the string 'hello', even if the request content crosses the WAF size limit ( 8,192 bytes )
Suppose you configure a custom rule with a request body that contains XSS injection attacks and your request body is 9,000 bytes. You can choose from the following oversize handling actions:
Continue: AWS WAF inspects bytes 1 through 8,192 bytes of the body content for XSS attack. The remaining 8,193 through 9000 byte content isn't inspected.
Match: AWS WAF marks this request as containing an XSS attack and takes the rule action (either ALLOW or BLOCK). It doesn’t matter whether the request body includes an XSS attack pattern or not.
Not match: AWS WAF marks this request as not containing an XSS attack regardless of the request body content.
