API Gateway Returns Forbidden when string with "https://" is Posted

Question

I have an API Gateway endpoint setup that uses a Lambda function to store a URL in DynamoDB. When I POST a message with this in the body

"videoURL": "www.youtube.com/watch?v=cgpvCVkrV6M"

the endpoint works fine. It returns 200 and the DynamoDB record is updated. However, when I POST this

"videoURL": "https://www.youtube.com/watch?v=cgpvCVkrV6M"

the endpoint returns a 403 Forbidden response and the DB record is not updated.

When I test inside API Gateway, the "https://" string is accepted.

I also have an API Key, a Usage Plan, a Client Certificate, and CORS Enabled (for local testing). I don't think any of these are the cause of my problem.

Does anyone have a guess as to why the "https://" string is causing a problem?

Answer 1

The problem was in my Web Application Firewall (WAF). When I created my firewall, I added the AWS-AWSManagedRulesCommonRuleSet collection. According to the documentation of this rule set, one of the rules is:

GenericRFI_BODY - Inspects the values of the request body and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like ://.

Disabling this rule solved my problem. I can now successfully send in and store "https://" in my database.

However, this rule represents a best practice (or at least a good practice), and should not be disabled without considering the risk. By disabling this rule, I make my endpoint vulnerable Remote File Inclusion attacks. Since I have access to the endpoint and Lambda function definition, I could split my URL input in to two fields ("https" and "www.youtube...") and keep the rule enabled. For anyone else encountering this issue, you'll have to weigh the ease vs. risk of each approach.