Security limitations in the default protection offered by Google’s web application firewall (WAF) make it possible to bypass the company’s cloud-based defenses.
Researchers at security consultancy Kloudle found they were able to bypass both Google Cloud Platform (GCP) and Amazon Web Services (AWS) web app firewalls just by making a POST request more than 8KB in size.
“The default behavior of Cloud Armor in this case can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle.
WAFs are supposed to protect against web-based attacks including SQL Injection and cross-site scripting – even in cases where an underlying application is still vulnerable.
Bypassing this protection would take a potential attacker one step closer to attacking a web-hosted application, provided a targeted endpoint accepts HTTP POST requests “in a manner which could trigger an underlying vulnerability”.
“This issue can be exploited by crafting an HTTP POST request with a body size exceeding the 8KB size limitation of Cloud Armor, where the payload appears after the 8192th byte/character in the request body,” Kloudle explains in a technical blog post.
Under armor
The Cloud Armor WAF from Google comes with a set of preconfigured firewall rules that draw from the open source OWASP ModSecurity Core Rule Set.
Users can block the potential attack vector by configuring a custom Cloud Armor rule to block HTTP requests where the request body is larger than 8192 bytes – a general rule that can be further tweaked to accept defined exceptions.
Although AWS’ WAF has much the same problems, Kloudle faulted GCP for failing to highlight the issue to customers. Other cloud-based WAFs exhibit similar limitations, the researchers said.
Kloudle told The Daily Swig: “This is part of ongoing work… so far, we have seen request body limitations with Cloudflare, Azure, and Akamai as well. Some have 8KB and others extend to 128KB.”
The Daily Swig invited both Google and AWS to comment on Kloudle’s research and what security precautions their cloud customers might like to take as a precaution. We’ll update this story as and when more information comes to hand.
A representative of Kloudle was sympathetic about security and functionality trade-offs cloud providers are obliged to balance but told The Daily Swig that cloud providers ought to do more to educate users about the issue.
“Perimeter security software is hard. I suspect in this case 8KB limit allows them to reliably process other WAF rules,” the representative explained.
“They could be doing more for developer awareness, including adding that rule by default with the option to disable in case someone wants to.
“As per the shared security responsibility model they put the onus on the end user to use the service securely,” they added.
Source: https://portswigger.net/daily-swig/google-waf-bypassed-via-oversized-post-requests