Summary
AWS WAF using the Core Rules set allowed SQL injection. In AWS WAF only the first 8 KB (8,192 bytes) of the request body are forwarded to AWS WAF for inspection, but AWS Managed rules allowed requests up to 10 KB.
An attacker could send a request larger than 8 KB but smaller than 10 KB, with a malicious payload located after the first 8,192 bytes, and thereby pass the WAFs inspection.
To fix this issue, AWS reduced the request size limit to 8 KB.
Affected Services
AWS WAF
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html
Contributed by https://github.com/mer-b
Disclosure Date
Fri, Sep 3rd, 2021
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Osama Elnaggar
