ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

WAF Body SIze Exceeded

book

Article ID: 223970

calendar_today

Updated On:

Products

ASG-S500 ASG-S400 ASG-S200 SG-S400 SG-S200 SG-S500 Web Application Firewall

Issue/Introduction

"http.request.body.inspection_size(65536)" 

This is an action setting the maximum number of bytes of an HTTP request body that Web Application Firewall (WAF) content nature detection engines or policy can scan per transaction. Since it's an action it will always seem to 'match'.

 

Cause

Reported Behavior:
Rule:
http.request.body.inspection_size(65536) http.request.detection.other.threshold_exceeded(block)

This rule is matching a request that is 9589 in length.

Frequency of issue: Always

Expected Behavior: Rule does not match unless it exceeds 65536 bytes

Additional information:
SGOS 6.7.5.8 (257558)

Access log truncates the request body to 8192 bytes, when reporting, regardless of the actual size.

It is a timing issue. Any tenant who uses 'http.request.body.inspection_size()' must use tenant.connection() from 'landlord' policy.

Environment

Issue experienced in SGOS 6.7.5.8 but can happen in, pretty much, any recent SGOS version.

Resolution

As a workaround, you may add the highest inspection_size() action to the 'default' policy.

Like:

{code:java}
inline policy tenant default end-807290248-inline
...
<proxy ReadRequiredBodySize>
   http.request.body.inspection_size(65536) http.request.detection.other.threshold_exceeded(block)
...
end-807290248-inline
{code}

  1. The gesture in default tenant is ONLY for suggesting to HTTP worker to read the body data up to the highest inspection_size required. With the recommended change in the default tenant, the request_url() will work for that inspection_size().
  2. Body size read by HTTP worker for request_url(), if no higher inspection_size() is given in default tenant, is 8192 bytes.

To emphasize: The inspection size given in the default tenant is for getting HTTP worker to read the body data only. The default tenant doesn't have to trigger the inspection_size() action. The request_url() will trigger the proper action, since correct amount of the body data is read by the HTTP worker.

The cavate:  HTTP worker will read up to the amount of body data that is given in the default tenant for every request. As per my suggestion for this case (the inspection_size of 65536 bytes), the HTTP worker will read 65536 bytes (if available) from every request.

Additional Information

This fix was provided in one on this technical case, 32520890, and the customer implemented accordingly and confirmed the resolution to have worked. Also note that this is an Engineering/RD-approved fix.