AWS CloudFormation
User Guide (Version )

AWS::WAF::XssMatchSet

A complex type that contains XssMatchTuple objects, which specify the parts of web requests that you want AWS WAF to inspect for cross-site scripting attacks and, if you want AWS WAF to inspect a header, the name of the header. If a XssMatchSet contains more than one XssMatchTuple object, a request needs to include cross-site scripting attacks in only one of the specified parts of the request to be considered a match.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::WAF::XssMatchSet", "Properties" : { "Name" : String, "XssMatchTuples" : [ XssMatchTuple, ... ] } }

YAML

Type: AWS::WAF::XssMatchSet Properties: Name: String XssMatchTuples: - XssMatchTuple

Properties

Name

The name, if any, of the XssMatchSet.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Update requires: Replacement

XssMatchTuples

Specifies the parts of web requests that you want to inspect for cross-site scripting attacks.

Required: Yes

Type: List of XssMatchTuple

Update requires: No interruption

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Examples

Define Which Part of a Request to Check for Cross-site Scripting

The following example looks for cross-site scripting in the URI or query string of an HTTP request.

JSON

"DetectXSS": { "Type": "AWS::WAF::XssMatchSet", "Properties": { "Name": "XssMatchSet", "XssMatchTuples": [ { "FieldToMatch": { "Type": "URI" }, "TextTransformation": "NONE" }, { "FieldToMatch": { "Type": "QUERY_STRING" }, "TextTransformation": "NONE" } ] } }

YAML

DetectXSS: Type: "AWS::WAF::XssMatchSet" Properties: Name: "XssMatchSet" XssMatchTuples: - FieldToMatch: Type: "URI" TextTransformation: "NONE" - FieldToMatch: Type: "QUERY_STRING" TextTransformation: "NONE"

Associate an XssMatchSet with a Web ACL Rule

The following example associates the DetectXSS match set with a web access control list (ACL) rule.

JSON

"XSSRule" : { "Type": "AWS::WAF::Rule", "Properties": { "Name": "XSSRule", "MetricName" : "XSSRule", "Predicates": [ { "DataId" : { "Ref" : "DetectXSS" }, "Negated" : false, "Type" : "XssMatch" } ] } }

YAML

XSSRule: Type: "AWS::WAF::Rule" Properties: Name: "XSSRule" MetricName: "XSSRule" Predicates: - DataId: Ref: "DetectXSS" Negated: false Type: "XssMatch"

Create a Web ACL

The following example associates the XSSRule rule with a web ACL. The web ACL allows all requests except for ones that contain cross-site scripting in the URI or query string of an HTTP request.

JSON

"MyWebACL": { "Type": "AWS::WAF::WebACL", "Properties": { "Name": "Web ACL to block cross-site scripting", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "DetectXSSWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "XSSRule" } } ] } }

YAML

MyWebACL: Type: "AWS::WAF::WebACL" Properties: Name: "Web ACL to block cross-site scripting" DefaultAction: Type: "ALLOW" MetricName: "DetectXSSWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "XSSRule"