Application is deployed in eks behind an application loadbalancer. Waf is attached to this alb. In waf action for rule AWS-AWSManagedRulesAnonymousIpList#HostingproviderIPlist is set as block and override to captcha.
We are doing a cross-origin-request with a VPN turned on and our request gets blocked. In the waf sample requests section we could see our IP and rule as AWS-AWSManagedRulesAnonymousIpList#HostingproviderIPlist and action as captcha. But we didn't receive any captcha page to resolve.In the waf log we could see the reason as token missing
Attaching the screenshot of error page
WAF log
"args": "", "httpVersion": "HTTP/2.0", "httpMethod": "OPTIONS", "requestId": "1-6555fb65-77de024547288a803331d844" }, "captchaResponse": { "responseCode": 405, "failureReason": "TOKEN_MISSING" }, "ja3Fingerprint": "61f38b2663c769c4d33144835db7db15" }
Har file
{
"log": {
"version": "1.2",
"creator": {
"name": "WebInspector",
"version": "537.36"
},
"pages": [],
"entries": [
{
"_initiator": {
"type": "script",
"stack": {
"callFrames": [
{
"functionName": "sendRequest",
"scriptId": "7",
"url": "https://retrogreen.co.uk/amt/test-cors.html",
"lineNumber": 70,
"columnNumber": 10
},
{
"functionName": "onclick",
"scriptId": "25",
"url": "https://retrogreen.co.uk/amt/test-cors.html",
"lineNumber": 78,
"columnNumber": 34
}
]
}
},
"_priority": "High",
"_resourceType": "xhr",
"cache": {},
"request": {
"method": "POST",
"url": "https://api.retrogreen.co.uk/api/v1/property",
"httpVersion": "",
"headers": [
{
"name": "sec-ch-ua",
"value": "\"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\""
},
{
"name": "Content-Type",
"value": "application/json"
},
{
"name": "Referer",
"value": "https://retrogreen.co.uk/"
},
{
"name": "sec-ch-ua-mobile",
"value": "?0"
},
{
"name": "Authorization",
"value": "Basic cmV0cm9HcmVlbjpTS3ZDTlJuVHB1RGdiVkg="
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
},
{
"name": "sec-ch-ua-platform",
"value": "\"Windows\""
}
],
"queryString": [],
"cookies": [],
"headersSize": -1,
"bodySize": 187,
"postData": {
"mimeType": "application/json",
"text": "{\"postcode\":\"RG20 0PG\",\"uprn\":\"100062458026\",\"address1\":\"Magpies\",\"address2\":\"Gore End Road\",\"address3\":\"Ball Hill\",\"latitude\":\"51.3680464\",\"longitude\":\"-1.3990267\",\"manualAddress\":false}"
}
},
"response": {
"status": 0,
"statusText": "",
"httpVersion": "",
"headers": [],
"cookies": [],
"content": {
"size": 0,
"mimeType": "x-unknown"
},
"redirectURL": "",
"headersSize": -1,
"bodySize": -1,
"_transferSize": 0,
"_error": "net::ERR_FAILED"
},
"serverIPAddress": "",
"startedDateTime": "2023-11-17T06:55:53.396Z",
"time": 985.3649999859044,
"timings": {
"blocked": 985.3649999859044,
"dns": -1,
"ssl": -1,
"connect": -1,
"send": 0,
"wait": 0,
"receive": 0,
"_blocked_queueing": -1
}
},
{
"_initiator": {
"type": "preflight",
"url": "https://api.retrogreen.co.uk/api/v1/property",
"requestId": "23628.42"
},
"_priority": "High",
"_resourceType": "preflight",
"cache": {},
"connection": "589586",
"request": {
"method": "OPTIONS",
"url": "https://api.retrogreen.co.uk/api/v1/property",
"httpVersion": "http/2.0",
"headers": [
{
"name": ":authority",
"value": "api.retrogreen.co.uk"
},
{
"name": ":method",
"value": "OPTIONS"
},
{
"name": ":path",
"value": "/api/v1/property"
},
{
"name": ":scheme",
"value": "https"
},
{
"name": "accept",
"value": "*/*"
},
{
"name": "accept-encoding",
"value": "gzip, deflate, br"
},
{
"name": "accept-language",
"value": "en-US,en;q=0.9"
},
{
"name": "access-control-request-headers",
"value": "authorization,content-type"
},
{
"name": "access-control-request-method",
"value": "POST"
},
{
"name": "origin",
"value": "https://retrogreen.co.uk"
},
{
"name": "referer",
"value": "https://retrogreen.co.uk/"
},
{
"name": "sec-fetch-dest",
"value": "empty"
},
{
"name": "sec-fetch-mode",
"value": "cors"
},
{
"name": "sec-fetch-site",
"value": "same-site"
},
{
"name": "user-agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}
],
"queryString": [],
"cookies": [],
"headersSize": -1,
"bodySize": 0
},
"response": {
"status": 405,
"statusText": "",
"httpVersion": "http/2.0",
"headers": [
{
"name": "cache-control",
"value": "no-store, max-age=0"
},
{
"name": "content-length",
"value": "2453"
},
{
"name": "content-type",
"value": "text/html; charset=UTF-8"
},
{
"name": "date",
"value": "Fri, 17 Nov 2023 06:55:18 GMT"
},
{
"name": "server",
"value": "awselb/2.0"
},
{
"name": "x-amzn-waf-action",
"value": "captcha"
}
],
"cookies": [],
"content": {
"size": 0,
"mimeType": "text/html"
},
"redirectURL": "",
"headersSize": -1,
"bodySize": -1,
"_transferSize": 0,
"_error": null
},
"serverIPAddress": "52.208.205.231",
"startedDateTime": "2023-11-17T06:55:53.399Z",
"time": 980.6530000127032,
"timings": {
"blocked": 290.697,
"dns": 0.012999999999976808,
"ssl": 227.9219999999999,
"connect": 455.302,
"send": 0.19100000000003092,
"wait": 233.29600000038272,
"receive": 1.1540000123204663,
"_blocked_queueing": -1
}
}
]
}
}