Cross-site scripting attack rule statement - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross-site scripting attack rule statement

An XSS (cross-site scripting) attack statement inspects for malicious scripts in a web request component. In an XSS attack, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.

Nestable – You can nest this statement type.

WCUs – 40 WCUs, as a base cost. If you use the request component All query parameters, add 10 WCUs. If you use the request component JSON body, double the base cost WCUs. For each Text transformation that you apply, add 10 WCUs.

This statement type operates on a web request component, and requires the following request component settings:

  • Request component – The part of the web request to inspect, for example, a query string or the body.


    If you inspect the request components Body, JSON body, Headers, or Cookies, read about the limitations on how much content Amazon WAF can inspect at Handling of oversize request components in Amazon WAF.

    For information about web request components, see Web request component specification and handling.

  • Optional text transformations – Transformations that you want Amazon WAF to perform on the request component before inspecting it. For example, you could transform to lowercase or normalize white space. If you specify more than one transformation, Amazon WAF processes them in the order listed. For information, see Text transformation options.

Where to find this rule statement
  • Rule builder on the console – For Match type, choose Attack match condition > Contains XSS injection attacks.

  • APIXssMatchStatement