Google WAF bypassed by oversized POST requests

Devata Rohan

March 4, 2022

WAF is a web application firewall that provides web application security from malicious attacks such as SQL injection, DDOS, etc. But recently, Google’s WAF was bypassed using POST requests. This has been reported by the researchers at Kloudle (a security consultancy firm) woho were able to bypass Google Cloud Platform (GCP) and Amazon Web Services (AWS) by making a POST request of more than 8 kilobytes in size. This may lead the attacker to an underlying application. Basically, the WAFs are assumed to prevent web-based attacks even in cases where the underlying application is still vulnerable. Bypassing WAF and having a targeted endpoint that accepts HTTP POST requests triggers the underlying vulnerability, which leads the attacker one step closer to attacking the web-hosted application. The cloud armor WAF from Google comes with a set of predefined firewall rules that draw from OWASP. Users can block potential attack vectors by configuring a custom cloud armor rule to intercept HTTP requests of size greater than or equal to 8192 bytes since the attack payload appears after the 8192nd byte/character in the request body. Kloudle researchers decried GCP for failing to highlight this issue to users. They also mentioned many other cloud-based WAFs exhibit the same problem with request-body limitations between 8-128kb.

Abridged fromPortswigger