Why does the AWS WAF Intelligent threat API silent challenge never fail

Question

I've been trying to implement AWS WAF Intelligent threat mitigation on my website. The website in an SPA.

When the website loads it calls AwsWafIntegration.fetchToken() which is supposed to perform a silent challenge and return the WAF token. If this request fails, there's a fallback to AwsWafCaptcha.renderCaptcha() so that you can still get a WAF token by passing the CAPTCHA.

However after some testing, it appears that fetchToken call will always succeed and return a valid WAF token as long as the network connection is working. How does the silent challenge work and when can it fail? Have I implemented these features correctly?

Answer 1

After discussing this with AWS support, it turns out I didn't understand the documentation correctly.

It turns out that AwsWafIntegration.fetchToken() is never supposed to fail. The silent challenge is executed on the client side immediately when the AWS script is loaded, and it can basically never fail either. The silent challenge will always succeed as long as you can execute JavaScript. Therefore calling fetchToken from a browser (even automated one) will always return a valid WAF token.

According to AWS the "silent challenge" is not supposed to fail, it just collects data from the client and enables certain advanced features of the BotControl WAF rules. Mainly the targeted rules. The correct way to implement this would be to:

Server side:

1. Setup the AWSManagedRulesBotControlRuleSet in the WAF to throw a CAPTCHA, especially the targeted rules.

Client side:

1. Fetch the WAF token
2. Attempt to call some API endpoint on your service
3. In the case of 405 response, render CAPTCHA
4. Attempt to call the API endpoint again after passing CAPTCHA

Direct quote from AWS:

We give the client a chance to acquire an aws-waf-token via the Challenge SDK, and if they 'failed' the challenge because they were detected as a bot through our client side interrogation - we recommend a CAPTCHA be thrown for the request. This is not determined by the failure to acquire an aws-waf-token but rather but the contents of the encrypted aws-waf-token that WAF fully understands.

So, all you need to then do is to add the Challenge SDK into your application, and let the default rules take care of the rest. However, you may naturally then ask for what to do for the SPA since the default action would result into an interstitial experience? The solution there would be to use the Captcha SDK and intercept the WAF response of HTTP 405.

They mentioned the documentation will be updated and clarified, so hopefully this will be more clear in future documentation.