Security research highlights web application firewall security risk

Oversized POST requests offer a mechanism to smuggle attacks past web application firewalls

UPDATED Security limitations in the default protection offered by Google’s web application firewall (WAF) make it possible to bypass the company’s cloud-based defenses.

Researchers at security consultancy Kloudle found they were able to bypass both Google Cloud Platform (GCP) and Amazon Web Services (AWS) web app firewalls just by making a POST request more than 8KB in size.

“The default behavior of Cloud Armor in this case can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle.

"This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.”

Catch up on the latest cloud security news and analysis

WAFs are supposed to protect against web-based attacks including SQL Injection and cross-site scripting – even in cases where an underlying application is still vulnerable.

Bypassing this protection would take a potential attacker one step closer to attacking a web-hosted application, provided a targeted endpoint accepts HTTP POST requests “in a manner which could trigger an underlying vulnerability”.

“This issue can be exploited by crafting an HTTP POST request with a body size exceeding the 8KB size limitation of Cloud Armor, where the payload appears after the 8192th byte/character in the request body,” Kloudle explains in a technical blog post.

Under armor

The Cloud Armor WAF from Google comes with a set of preconfigured firewall rules that draw from the open source OWASP ModSecurity Core Rule Set.

Users can block the potential attack vector by configuring a custom Cloud Armor rule to block HTTP requests where the request body is larger than 8192 bytes – a general rule that can be further tweaked to accept defined exceptions.

RELATED How a severe vulnerability in the OWASP ModSecurity Core Rule Set sparked much-needed change

Although AWS’ WAF has much the same problems, Kloudle faulted GCP for failing to highlight the issue to customers. Other cloud-based WAFs exhibit similar limitations, the researchers said.

Kloudle told The Daily Swig: “This is part of ongoing work… so far, we have seen request body limitations with Cloudflare, Azure, and Akamai as well. Some have 8KB and others extend to 128KB.”

In response to queries from The Daily Swig, a Google representative pointed out that it does disclose the 8KB limit in its documentation.

A representative of Kloudle was sympathetic about security and functionality trade-offs cloud providers are obliged to balance but told The Daily Swig that cloud providers ought to do more to educate users about the issue.

“Perimeter security software is hard. I suspect in this case 8KB limit allows them to reliably process other WAF rules,” the representative explained.

“They could be doing more for developer awareness, including adding that rule by default with the option to disable in case someone wants to.

“As per the shared security responsibility model they put the onus on the end user to use the service securely,” they added.

This story was updated to add comment from Google and to add clarify Kloudle's implied criticism of GCP's documentation and communication with its customers.

YOU MAY ALSO LIKE Introducing Ghostbuster – AWS security tool protects against dangling elastic IP takeovers