This article lists the specific header names and values that are set by AWS WAF to detect various OWASP Top 10 threats. Cequence policies uses these header names and values to detect and block the specific threats within Cequence Defenders. This categorization reflects the landscape of web application threats detected by Cequence WAAP, from traditional injection attacks to modern supply chain vulnerabilities like Log4j exploits.
The purpose of this article is to inform customers of the specific header names and values that are used within your WAF Policies.
Note: Do not edit the header names and values unless specifically instructed by Cequence Customer Support. To disable specific WAF Rules or Policies, follow the instructions in the Configuring WAF Policies article.
User Agent and Bot Detection
This category encompasses threats related to missing or malicious user agent strings, which are commonly exploited by automated bots and scrapers to disguise their identity or bypass basic filtering mechanisms.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| NoUserAgent_HEADER | AWSManagedRulesCommonRuleSet | x-amzn-waf-nouseragent | NoUserAgent_HEADER |
| UserAgent_BadBots_HEADER | AWSManagedRulesCommonRuleSet | x-amzn-waf-useragentbots | UserAgent_BadBots_HEADER |
Request Size Restrictions
These rules detect requests that exceed predetermined size limits across various HTTP components, helping prevent resource exhaustion attacks and unusually large payloads that may indicate malicious activity.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| SizeRestrictions_QUERYSTRING | AWSManagedRulesCommonRuleSet | x-amzn-waf-sizerestriction_querystring | SizeRestrictions_QUERYSTRING |
| SizeRestrictions_Cookie_HEADER | AWSManagedRulesCommonRuleSet | x-amzn-waf-sizerestriction_cookie | SizeRestrictions_Cookie_HEADER |
| SizeRestrictions_BODY | AWSManagedRulesCommonRuleSet | x-amzn-waf-sizerestriction_body | SizeRestrictions_BODY |
| SizeRestrictions_URIPATH | AWSManagedRulesCommonRuleSet | x-amzn-waf-sizerestriction_uri | SizeRestrictions_URIPATH |
Server-Side Request Forgery (SSRF)
These detections identify attempts to exploit server-side request forgery vulnerabilities, particularly targeting AWS EC2 metadata endpoints which could expose sensitive instance credentials and configuration data.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| EC2MetaDataSSRF_BODY | AWSManagedRulesCommonRuleSet | x-amzn-waf-ec2metadata_body | EC2MetaDataSSRF_BODY |
| EC2MetaDataSSRF_COOKIE | AWSManagedRulesCommonRuleSet | x-amzn-waf-ec2metadata_cookie | EC2MetaDataSSRF_COOKIE |
| EC2MetaDataSSRF_URIPATH | AWSManagedRulesCommonRuleSet | x-amzn-waf-ec2metadata_uri | EC2MetaDataSSRF_URIPATH |
| EC2MetaDataSSRF_QUERYARGUMENTS | AWSManagedRulesCommonRuleSet | x-amzn-waf-ec2metadata_queryarg | EC2MetaDataSSRF_QUERYARGUMENTS |
Local File Inclusion (LFI)
These rules detect attempts to access local files on the server through path traversal and other file inclusion techniques that could expose sensitive system files or application code.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| GenericLFI_QUERYARGUMENTS | AWSManagedRulesCommonRuleSet | x-amzn-waf-genericlfi_queryarg | GenericLFI_QUERYARGUMENTS |
| GenericLFI_URIPATH | AWSManagedRulesCommonRuleSet | x-amzn-waf-genericlfi_uri | GenericLFI_URIPATH |
| GenericLFI_BODY | AWSManagedRulesCommonRuleSet | x-amzn-waf-genericlfi_body | GenericLFI_BODY |
Restricted File Extensions
This category identifies requests attempting to access files with potentially dangerous extensions that should not be accessible through web requests, helping prevent exposure of configuration files, source code, or other sensitive resources.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| RestrictedExtensions_URIPATH | AWSManagedRulesCommonRuleSet | x-amzn-waf-restrictedext_uri | RestrictedExtensions_URIPATH |
| RestrictedExtensions_QUERYARGUMENTS | AWSManagedRulesCommonRuleSet | x-amzn-waf-restrictedext_queryarg | RestrictedExtensions_QUERYARGUMENTS |
Remote File Inclusion (RFI)
These detections target attempts to include remote files or resources in application execution, which could lead to code execution, data exfiltration, or other malicious activities through externally hosted content.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| GenericRFI_QUERYARGUMENTS | AWSManagedRulesCommonRuleSet | x-amzn-waf-genericrfi_queryarg | GenericRFI_QUERYARGUMENTS |
| GenericRFI_BODY | AWSManagedRulesCommonRuleSet | x-amzn-waf-genericrfi_body | GenericRFI_BODY |
| GenericRFI_URIPATH | AWSManagedRulesCommonRuleSet | x-amzn-waf-genericrfi_uri | GenericRFI_URIPATH |
Cross-Site Scripting (XSS)
This group of rules identifies patterns associated with cross-site scripting attacks across various input vectors, protecting against malicious script injection that could compromise user sessions or steal sensitive data.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| CrossSiteScripting_COOKIE | AWSManagedRulesCommonRuleSet | x-amzn-waf-css_cookie | CrossSiteScripting_COOKIE |
| CrossSiteScripting_QUERYARGUMENTS | AWSManagedRulesCommonRuleSet | x-amzn-waf-css_queryarg | CrossSiteScripting_QUERYARGUMENTS |
| CrossSiteScripting_BODY | AWSManagedRulesCommonRuleSet | x-amzn-waf-css_body | CrossSiteScripting_BODY |
| CrossSiteScripting_URIPATH | AWSManagedRulesCommonRuleSet | x-amzn-waf-css_uri | CrossSiteScripting_URIPATH |
Administrative Interface Protection
This rule specifically protects administrative paths and interfaces from unauthorized access attempts, helping secure backend management systems and configuration endpoints.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| AdminProtection_URIPATH | AWSManagedRulesAdminProtectionRuleSet | x-amzn-waf-adminprotection | AdminProtection_URIPATH |
Java Deserialization Remote Code Execution
These rules detect attempts to exploit Java deserialization vulnerabilities, which can lead to remote code execution through maliciously crafted serialized objects passed in various request components.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| JavaDeserializationRCE_HEADER | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-javades_header | JavaDeserializationRCE_HEADER |
| JavaDeserializationRCE_BODY | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-javades_body | JavaDeserializationRCE_BODY |
| JavaDeserializationRCE_URIPATH | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-javades_uri | JavaDeserializationRCE_URIPATH |
| JavaDeserializationRCE_QUERYSTRING | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-javades_queryarg | JavaDeserializationRCE_QUERYSTRING |
Known Malicious Patterns
This category encompasses various known malicious request patterns including localhost targeting, suspicious HTTP methods, exploitable paths, and attempts to access commonly vulnerable endpoints.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| Host_localhost_HEADER | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-localhost_header | Host_localhost_HEADER |
| PROPFIND_METHOD | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-proffind_method | PROPFIND_METHOD |
| ExploitablePaths_URIPATH | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-exploitablepath | ExploitablePaths_URIPATH |
Log4j Remote Code Execution
These detections specifically target attempts to exploit the Log4j vulnerability (CVE-2021-44228), monitoring for malicious JNDI lookup patterns that could lead to remote code execution through various input vectors.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| Log4JRCE_HEADER | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-log4j_header | Log4JRCE_HEADER |
| Log4JRCE_QUERYSTRING | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-log4j_queryarg | Log4JRCE_QUERYSTRING |
| Log4JRCE_BODY | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-log4j_body | Log4JRCE_BODY |
| Log4JRCE_URIPATH | AWSManagedRulesKnownBadInputsRuleSet | x-amzn-waf-log4j_uri | Log4JRCE_URIPATH |
SQL Injection
This comprehensive set of rules detects various SQL injection attack patterns, including both standard and extended pattern matching across multiple input vectors to prevent database compromise and data exfiltration attempts.
| AWS Threat Detection | AWS Rule Set Source | Triggering header | Triggering value |
| SQLi_QUERYARGUMENTS | AWSManagedRulesSQLiRuleSet | x-amzn-waf-sqli-queryarg | SQLi_QUERYARGUMENTS |
| SQLiExtendedPatterns_QUERYARGUMENTS | AWSManagedRulesSQLiRuleSet | x-amzn-waf-sqli-extpattern-queryarg | SQLiExtendedPatterns_QUERYARGUMENTS |
| SQLi_BODY | AWSManagedRulesSQLiRuleSet | x-amzn-waf-sqli-body | SQLi_BODY |
| SQLiExtendedPatterns_BODY | AWSManagedRulesSQLiRuleSet | x-amzn-waf-sqli-extpattern-body | SQLiExtendedPatterns_BODY |
| SQLi_COOKIE | AWSManagedRulesSQLiRuleSet | x-amzn-waf-sqli-cookie | SQLi_COOKIE |
| SQLi_URIPATH | AWSManagedRulesSQLiRuleSet | x-amzn-waf-sqli-uripath | SQLi_URIPATH |