AWS WAF Byte Size Bypass
Introduction
A Web Application Firewall (WAF) is a very common resource or a service that infrastructure and application administrators rely on to protect applications facing the Internet. A WAF sits in front of a web application facing the Internet and inspects the HTTP traffic that is reaching the perimeter to ensure nothing suspicious or malicious goes through.
What are we going to cover?
This chapter will cover an attack that can be used to bypass the waf limitation within the AWS WAF when inspecting a request body, what particular configurations are vulnerable and how an attacker can take advantage of this limitation.
What does the limitation mean in the real world?
Imagine you have a web application running on an EC2 instance. A load balancer sits in front of the EC2 instance. All web traffic trying to reach the web application from the Internet goes through AWS WAF before reaching the load balancer.
Now, if the web application is vulnerable to a vulnerability that an Internet located attacker can exploit, most SREs, application and infrastructure administrators would presume the AWS WAF to thwart the attacker.
Now the WAF functions as advertised for any web traffic that is less than 8KB in size, but as soon as the attack traffic exceeds 8KB, a malicious payload will go right through the AWS WAF, the load balancer and will be processed by the application.
Here’s an example of an application hosted on AWS as described in the setup above.
Steps to attack - DEMO
We are going to access an application hosted on an AWS instance. The application is a deliberately vulnerable NodeJS application.
Try to access the application over the internet and perform SQL injection, here for demo we will use Damn Vulnerable NodeJS Application (DVNA)
Navigate to the SQL injection scenario and observe the response of
User not found
Now, enter the payload
' OR 1=1 --and observe the response
Once we have established the app is vulnerable, we move the app behind an AWS Load Balancer and add a Web Application Firewall to the set up
The same input now gets blocked by the WAF.
Given that the attack payload was sent via a POST request and that we were blocked, as an attacker, we can safely assume that a rule that inspects the HTTP request body is in place. Using the knowledge of the 8KB limitation, we can now craft an attack that can be used to bypass the AWS WAF and reach the web application.
To create a buffer payload of 8NB or more, you can use the below pattern generator - https://wiremask.eu/tools/buffer-overflow-pattern-generator/
We use an interception proxy to add extra parameters to the request body to make its size larger than 8KB. This causes the AWS WAF to ignore the request and forwards it to the web application.
It is important to note that the attack payload must come after 8KB of junk data in the request body for the bypass to work.
The damage that an attacker can cause is only limited by the vulnerability that can be exploited, like in the case of the recently disclosed Log4J set of vulnerabilities, it could mean a complete compromise of the server instances from the Internet.
Additional references
Last updated