Google Cloud WAF Bypass

Introduction

Web application firewall suites provide a critical layer of security for modern web applications and can protect them from a wide variety of attacks, such as: code execution, SQL injection, cross-site scripting, et cetera even when the underlying application is vulnerable. Google Cloud customers can use Cloud Armor to protect applications served with Google Cloud Load Balancing.

What is cloud armor

Google Cloud Armor helps you protect your Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).

What are we going to cover?

This chapter will cover an attack that can be used to bypass the waf limitation within the Google Cloud WAF when inspecting a request body, what particular configurations are vulnerable and how an attacker can take advantage of this limitation.

Steps to attack - DEMO

• We use the same vulnerable NodeJS app, but this time hosting it on a Google VM instance.

• Exploiting the SQL Injection scenario of the application, observe the response of User not found

user not found

• Now, enter the payload ' OR 1=1 -- and observe the response

sqli error

• We now move the VM instance behind a Google Load Balancer and then integrate Google Cloud Armor with the Load Balancer and enter the same payload and observe the response

blocked error

The 8 KB limitation

The web application firewall component of Cloud Armor inspects incoming HTTP requests and compares them against rule-based policies defined by the user. The Cloud Armor service can be configured to allow or deny a request to the underlying application based on the rules triggered by a given request.

The web application firewall component of Cloud Armor has a non-configurable HTTP request body size limit of 8 KB. This means that Cloud Armor will only inspect the first 8192 bytes or characters of an HTTP POST request body.

This issue can be exploited by crafting an HTTP POST request with a body size exceeding the 8 KB size limitation of Cloud Armor, where the payload appears after the 8192th byte/character in the request body.

To create a buffer payload of 8NB or more, you can use the below pattern generator - https://wiremask.eu/tools/buffer-overflow-pattern-generator/

bypassed

Request body limitations with HTTP PUT and PATCH

• Another limitation of Cloud Armor is that request body inspection is limited only to HTTP POST requests. As a result, an attacker could craft an HTTP PUT or PATCH request with a malicious payload in the request body to bypass the WAF without having to append 8192 bytes of padding to the payload.

• As mentioned above in reference to HTTP POST requests, an attacker’s ability to meaningfully utilize this technique is dependent on the underlying application being configured to accept and process HTTP PUT/PATCH requests, in a manner that could trigger an underlying vulnerability.

Additional references

• Tuning Google Cloud Armor WAF rules

• New WAF capabilities in Cloud Armor for on-prem and cloud workloads

• Piercing the Cloud Armor - The 8KB bypass in Google Cloud Platform WAF