I my scenario SQL cookie rule being triggered but the cookies do not have anything malicious in them WAF. Could anyone please let me know why this is?
I've replicated the issue with false positive (blocked valid request) by the Rule SQLi_COOKIE from AWSManagedRulesSQLiRuleSet in my environment.
WAF logs showed:
"location":"HEADER","matchedData":["ajs_user_id","=","null",";","ajs_group_id"]}]
While testing the request the following patterns were blocked:
ajs_user_id=null;
ajs_group_id=null;
curl --cookie "ajs_group_id=null;" http://example.com
<head><title>403 Forbidden</title></head>
Basically it blocks any Key "name=null;" Could anyone please suggest me if there is a better way to allow for these rules to be processed in the future? It seems like '=null;' is the flagging mechanism but that is very loose and not specific to SQL.
