AWS::WAF::XssMatchSet
This is Amazon WAF Classic documentation. For more information, see Amazon WAF Classic in the developer guide.
For the latest version of Amazon WAF , use the Amazon WAFV2 API and see the Amazon WAF Developer Guide. With the latest version, Amazon WAF has a single set of endpoints for regional and global use.
A complex type that contains XssMatchTuple
objects, which specify the parts of web requests that you
want Amazon WAF to inspect for cross-site scripting attacks and, if you want Amazon WAF to inspect a header, the name of the header. If a
XssMatchSet
contains more than one XssMatchTuple
object, a request needs to
include cross-site scripting attacks in only one of the specified parts of the request to be considered a match.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::WAF::XssMatchSet", "Properties" : { "Name" :
String
, "XssMatchTuples" :[ XssMatchTuple, ... ]
} }
YAML
Type: AWS::WAF::XssMatchSet Properties: Name:
String
XssMatchTuples:- XssMatchTuple
Properties
Name
-
The name, if any, of the
XssMatchSet
.Required: Yes
Type: String
Minimum:
1
Maximum:
128
Pattern:
.*\S.*
Update requires: Replacement
XssMatchTuples
-
Specifies the parts of web requests that you want to inspect for cross-site scripting attacks.
Required: Yes
Type: List of XssMatchTuple
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref
function, see Ref.
Examples
Define Which Part of a Request to Check for Cross-site Scripting
The following example looks for cross-site scripting in the URI or query string of an HTTP request.
JSON
"DetectXSS": { "Type": "AWS::WAF::XssMatchSet", "Properties": { "Name": "XssMatchSet", "XssMatchTuples": [ { "FieldToMatch": { "Type": "URI" }, "TextTransformation": "NONE" }, { "FieldToMatch": { "Type": "QUERY_STRING" }, "TextTransformation": "NONE" } ] } }
YAML
DetectXSS: Type: "AWS::WAF::XssMatchSet" Properties: Name: "XssMatchSet" XssMatchTuples: - FieldToMatch: Type: "URI" TextTransformation: "NONE" - FieldToMatch: Type: "QUERY_STRING" TextTransformation: "NONE"
Associate an XssMatchSet with a Web ACL Rule
The following example associates the DetectXSS
match set with a web access control list (ACL) rule.
JSON
"XSSRule" : { "Type": "AWS::WAF::Rule", "Properties": { "Name": "XSSRule", "MetricName" : "XSSRule", "Predicates": [ { "DataId" : { "Ref" : "DetectXSS" }, "Negated" : false, "Type" : "XssMatch" } ] } }
YAML
XSSRule: Type: "AWS::WAF::Rule" Properties: Name: "XSSRule" MetricName: "XSSRule" Predicates: - DataId: Ref: "DetectXSS" Negated: false Type: "XssMatch"
Create a Web ACL
The following example associates the XSSRule
rule with a web ACL. The web ACL allows all requests except for ones that contain cross-site scripting in the URI or query string of an HTTP request.
JSON
"MyWebACL": { "Type": "AWS::WAF::WebACL", "Properties": { "Name": "Web ACL to block cross-site scripting", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "DetectXSSWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "XSSRule" } } ] } }
YAML
MyWebACL: Type: "AWS::WAF::WebACL" Properties: Name: "Web ACL to block cross-site scripting" DefaultAction: Type: "ALLOW" MetricName: "DetectXSSWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "XSSRule"