medium

AWS WAF configuration allows SQL injection

Published Sun, Oct 3rd, 2021
Platforms

Summary

AWS WAF using the Core Rules set allowed SQL injection. In AWS WAF only the first 8 KB (8,192 bytes) of the request body are forwarded to AWS WAF for inspection, but AWS Managed rules allowed requests up to 10 KB. An attacker could send a request larger than 8 KB but smaller than 10 KB, with a malicious payload located after the first 8,192 bytes, and thereby pass the WAFs inspection. To fix this issue, AWS reduced the request size limit to 8 KB.

Affected Services

AWS WAF

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Fri, Sep 3rd, 2021
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Osama Elnaggar, null