WAFfle the Security: Serving Up a Bypass on AWS WAF

Article Penetration Testing

As the new year unfolds, it heralds a fresh chapter in the evolution of my penetration testing approach. In the span of the initial quarter, my assessments have yielded not only two CVEs, but also a significant discovery—a bypass in a major Web Application Firewall (WAF).

This comes on the heels of my recent blog post, “Beyond the Web Application Firewall,” where I emphasized the critical need for intrinsic security measures within the application code itself, beyond mere reliance on WAF technology. It seems almost predestined that I would encounter an AWS WAF Bypass so soon after advocating for deeper security integration.

In the ever-evolving landscape of cybersecurity, vigilance is paramount. Recently, while conducting a routine security assessment for a client’s web application, I stumbled upon a soft spot in the armor of AWS’s WAF. This discovery underscores a critical vulnerability that could potentially compromise the security of numerous applications protected under AWS’s umbrella.

The Discovery

The AWS WAF is designed to safeguard web applications by filtering and monitoring HTTP requests. However, during my examination, I unearthed a method to circumvent this protective barrier using Unicode Sequential encoding.

This technique enabled the transmission of malicious payloads directly to the server, bypassing the WAF’s defenses undetected. Numerous other payloads, which included a variety of encodings such as URL and basic ASCII, were detected by the WAF and web application itself and blocked immediately.

After testing Unicode Sequential encoding, however, it was found that AWS’s WAF accepted this form of payload, while the web application decoded it and stored it in its database.

Payload decoded and store in application database — Payload decoded and stored in application database

The Implications

This revelation is particularly alarming as it applies not only to Cross-Site Scripting (XSS) attacks but also to a broad spectrum of malicious payloads that the WAF would typically block. The client’s configuration, which was a standard AWS WAF setup, complemented by a custom rule for file uploads, included several managed rulesets:

AWS-AWSManagedRulesAmazonIpReputationList
AWS-AWSManagedRulesAnonymousIpList
AWS-AWSManagedRulesCommonRuleSet
AWS-AWSManagedRulesKnownBadInputsRuleSet
AWS-AWSManagedRulesSQLiRuleSet
AWS-AWSManagedRulesWindowsRuleSet

Despite these measures, the Unicode Sequential encoding bypass persisted.

Proactive Measures

Upon identifying the issue, I promptly informed the client and recommended the implementation of additional backend security protocols, including input filtering and output encoding. Moreover, I proposed the creation of a bespoke WAF rule to detect and thwart Unicode Sequential encoding attempts.

A Call to Action

I have reached out to AWS to share these findings, as they bear significant implications for other customers relying on the WAF service. It is imperative to ascertain whether AWS is cognizant of this bypass technique and if there are plans afoot to fortify the default ruleset against such exploits. Enhancing the WAF’s security measures is crucial to safeguarding customers from potential cyber threats.

At the time of writing this article, AWS and I have been in constant communication, and they have released a patch for it.

Technical Deep Dive

For those interested in the technical specifics, the bypass was executed using a Python script that converted ASCII input into Unicode Sequential encoding. Here’s a simplified version of the script used:

Python script

The script’s output, when deployed, resulted in the server accepting the encoded payload and decoding it back to ASCII without any HTML encoding. This flaw could have severe repercussions for companies utilizing AWS’s WAF, as it could lead to successful payload injections.

Conclusion

The cybersecurity realm is fraught with challenges, and this incident serves as a stark reminder of the constant need for innovation and adaptation. As we continue to fortify our defenses, collaboration, and transparency remain key in the collective effort to stay one step ahead of malicious actors.

RedLens InfoSec, CampusGuard’s trusted security team, is ready to collaborate with you to reduce risks and enhance your organization’s cyber defenses. Contact us today to get started.

Share

About the Author

Hunter Barnard

Penetration Tester

Read Full Bio

Hunter's fascination with cybersecurity began in high school, and by the age of 11, he was already on his programming path. As the cyber landscape evolved, so did his passion for ethical hacking. He took the initiative to dual-enroll in college while still in high school, diving into networking and programming. He then advanced to earn a BS in Cybersecurity, sharpening his pen testing abilities and making his mark in CTF competitions. With two and a half years of experience, he has identified and disclosed CVEs and vulnerabilities for fortune 10 companies, strengthening digital security measures. His career is a testament to his dedication to academic excellence and his commitment to combating the ever-changing cyber threats.

Beyond the Web Application Firewall: A Proactive Defense

As defensive tools have evolved, attackers have adapted and developed more sophisticated attacks to compromise organizations that rely solely on these tools for defense.

Cybersecurity

Defend Your Digital Assets

Article

Web Application Pen Testing

A web application penetration test is a simulated attack on web-based software applications. This testing can identify weaknesses within the environment or be used to demonstrate the resilience of an application to attack.

Penetration Testing

Checklists and Templates