Summary
Cloud Armor has a documented limitation of 8 KB as the maximum size of web
request that it will inspect. The default behavior of Cloud Armor in this case can allow
oversized malicious requests to bypass Cloud Armor and directly reach an underlying application.
Moreover, Cloud Armor does not warn users of this limitation during policy creation
or when configuring rules from within the web UI, and can only find a reference to
the 8 KB limit in the [Cloud Armor documentation](https://cloud.google.com/armor/docs/security-policy-overview).
Affected Services
Cloud Armor
Remediation
A custom rule can be added in Advanced mode - `int(request.headers["content-length"]) >= 8192`,
with 502, 403, or 404 HTTP response status in return.
Tracked CVEs
No tracked CVEs
References
https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-wafhttps://kloudle.com/academy/a-guide-to-protect-against-the-8kb-waf-limitation-in-google-cloud-armor
Contributed by https://github.com/riyazwalikar
Disclosure Date
Thu, Feb 24th, 2022
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Karan Saini, Riyaz Walikar, Kloudle
