Since migrating our web applications to Fastly, I’ve noticed a large uptick in the number of empty form posts from non-consumer, non-US IP addresses.
Could a site-based “Templated Rule” to “Block Empty Form Posts” be added? I thought about creating one, but determined that it may be a little difficult.
It would need to match a POST request method with content-type set to check the absence of application/x-www-form-urlencoded or multipart/form-data and an empty body (in the case of a JSON post).
Also, regarding blocking rules, besides the Fastly-provided “Templated Rules”, are there any shared community resources for rules that are beneficial and don’t cause problems? (NOTE: I tried to write a rule to block requests based on form-posted “email” variables that matched a signal list and it resulted in multiple 500 errors on the WAF/Varnish-side. I’m a little nervous now whenever creating new rules.)
Hey @JamoCA! You should be able to create a rule with the following parameters:
Content-Length: 0
Method: POST
and that would catch what you’re testing.
NOTE: I tried to write a rule to block requests based on form-posted “email” variables that matched a signal list and it resulted in multiple 500 errors on the WAF/Varnish-side. I’m a little nervous now whenever creating new rules.
I passed this on to the team to dig into a little bit more. We definitely don’t want there to be apprehension around creating rules as needed (that’s the entire point of the product) so we’ll try to see what happened here.
Could that be built using the “Corp/Site Rules”? Or would that require a VCL script?
I don’t see “Content-Length” as a field in the web UI… so I’m assuming that it would need to be an additional group with a header field named content-length with a value of “0”. Is this correct?
Hmm… While viewing the requests on our origin server, the content-length is often 67-144. I’ll need to start logging the “body” on our origin to determine if these empty form posts are submitting a JSON body. (NOTE: These form posts are being performed on URLs that don’t accept JSON payloads.)
Regarding a shared repository of beneficial Fastly corp/site rules, is there such a thing?
Could that be built using the “Corp/Site Rules”? Or would that require a VCL script?
so I’m assuming that it would need to be an additional group with a header field named content-length with a value of “0”. Is this correct?
That was my thinking as well (I included a picture below for anyone viewing this thread in the future).
(NOTE: These form posts are being performed on URLs that don’t accept JSON payloads.)
That might be something that’s easier to block within VCL, depending on the request pattern
Regarding a shared repository of beneficial Fastly corp/site rules, is there such a thing?
Beyond the Signals library, not to my knowledge. I like it, though.
I discovered the issue… lots of bogus traffic from international consumer IP addresses (which appear to be fine) are posting ajax to some of our contact forms. Our contact forms are not configured to accept ajax, so I’m being internally alerted to empty posts. (I’ve updated our internal alert to include the ajax body payload.)
We use ajax on “some” contact forms, but our ajax posts contain a special header that is missing inthese bogus requests. There may also be some other legit ajax operations that we use, so I can’t add easily add a global rule at this time.
For now, I’m identifying the bad requests and then responding with a custom HTTP header+value and 403 status code. I’ve added a corp signal and a site alert to block for 24 hours if there’s a threshold of “1 request within 1 hour”. So far, 39 IPs have been reported & blocked within the last 24 hours as a result of the rule being added to 2 hostnames.