AWS - WAF Enum

AWS - WAF Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

AWS WAF

AWS WAF is a web application firewall designed to safeguard web applications or APIs against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up security rules that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules.

Key concepts

Web ACL (Access Control List)

A Web ACL is a collection of rules that you can apply to your web applications or APIs. When you associate a Web ACL with a resource, AWS WAF inspects incoming requests based on the rules defined in the Web ACL and takes the specified actions.

Rule Group

A Rule Group is a reusable collection of rules that you can apply to multiple Web ACLs. Rule groups help manage and maintain consistent rule sets across different web applications or APIs.

Each rule group has its associated capacity, which helps to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. Once its value is set during creation, it is not possible to modify it.

Rule

A rule defines a set of conditions that AWS WAF uses to inspect incoming web requests. There are two main types of rules:

  1. Regular Rule: This rule type uses specified conditions to determine whether to allow, block, or count web requests.

  2. Rate-Based Rule: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is 2000 requests.

Managed Rules

AWS WAF offers pre-configured, managed rule sets that are maintained by AWS and AWS Marketplace sellers. These rule sets provide protection against common threats and are regularly updated to address new vulnerabilities.

IP Set

An IP Set is a list of IP addresses or IP address ranges that you want to allow or block. IP sets simplify the process of managing IP-based rules.

Regex Pattern Set

A Regex Pattern Set contains one or more regular expressions (regex) that define patterns to search for in web requests. This is useful for more complex matching scenarios, such as filtering specific sequences of characters.

Lock Token

A Lock Token is used for concurrency control when making updates to WAF resources. It ensures that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously.

API Keys

API Keys in AWS WAF are used to authenticate requests to certain API operations. These keys are encrypted and managed securely to control access and ensure that only authorized users can make changes to WAF configurations.

  • Example: Integration of the CAPTCHA API.

Permission Policy

A Permission Policy is an IAM policy that specifies who can perform actions on AWS WAF resources. By defining permissions, you can control access to WAF resources and ensure that only authorized users can create, update, or delete configurations.

Scope

The scope parameter in AWS WAF specifies whether the WAF rules and configurations apply to a regional application or an Amazon CloudFront distribution.

  • REGIONAL: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located.

  • CLOUDFRONT: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the us-east-1 region regardless of where the content is served.

Key features

Monitoring Criteria (Conditions)

Conditions specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that requests restricted at the CloudFront level based on country won't reach WAF.

Each AWS account can configure:

  • 100 conditions for each type (except for Regex, where only 10 conditions are allowed, but this limit can be increased).

  • 100 rules and 50 Web ACLs.

  • A maximum of 5 rate-based rules.

  • A throughput of 10,000 requests per second when WAF is implemented with an application load balancer.

Rule actions

Actions are assigned to each rule, with options being:

  • Allow: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer.

  • Block: The request is terminated immediately.

  • Count: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block.

  • CAPTCHA and Challenge: It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges.

If a request doesn't match any rule within the Web ACL, it undergoes the default action (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence:

  1. Allow Whitelisted IPs.

  2. Block Blacklisted IPs.

  3. Block requests matching any detrimental signatures.

CloudWatch Integration

AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks.

Enumeration

In order to interact with CloudFront distributions, you must specify the Region US East (N. Virginia):

  • CLI - Specify the Region US East when you use the CloudFront scope: --scope CLOUDFRONT --region=us-east-1 .

  • API and SDKs - For all calls, use the Region endpoint us-east-1.

In order to interact with regional services, you should specify the region:

  • Example with the region Europe (Spain): --scope REGIONAL --region=eu-south-2

# Web ACLs #

## Retrieve a list of web access control lists (Web ACLs) available in your AWS account
aws wafv2 list-web-acls --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve details about the specified Web ACL
aws wafv2 get-web-acl --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

## Retrieve a list of resources associated with a specific web access control list (Web ACL)
aws wafv2 list-resources-for-web-acl --web-acl-arn <value> # Additional permissions needed depending on the protected resource type: cognito-idp:ListResourcesForWebACL, ec2:DescribeVerifiedAccessInstanceWebAclAssociations or apprunner:ListAssociatedServicesForWebAcl
## Retrieve the Web ACL associated with the specified AWS resource
aws wafv2 get-web-acl-for-resource --resource-arn <arn> # Additional permissions needed depending on the protected resource type: cognito-idp:GetWebACLForResource, ec2:GetVerifiedAccessInstanceWebAcl, wafv2:GetWebACL or apprunner:DescribeWebAclForService
 
# Rule groups #

## List of the rule groups available in your AWS account
aws wafv2 list-rule-groups --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve the details of a specific rule group
aws wafv2 get-rule-group [--name <value>] [--id <value>] [--arn <value>] [--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>]
## Retrieve the IAM policy attached to the specified rule group
aws wafv2 get-permission-policy --resource-arn <rule-group-arn> # Just the owner of the Rule Group can do this operation

# Managed rule groups (by AWS or by a third-party) #

## List the managed rule groups that are available
aws wafv2 list-available-managed-rule-groups --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## List the available versions of the specified managed rule group
aws wafv2 list-available-managed-rule-group-versions --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve high-level information about a specific managed rule group
aws wafv2 describe-managed-rule-group --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--version-name <value>]
## Retrieve high-level information about all managed rule groups
aws wafv2 describe-all-managed-products --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve high-level information about all managed rule groups from a specific vendor
aws wafv2 describe-managed-products-by-vendor --vendor-name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

# IP sets #

## List the IP sets that are available in your AWS account
aws wafv2 list-ip-sets --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve the specific IP set
aws wafv2 get-ip-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve the keys that are currently being managed by a rate-based rule.
aws wafv2 get-rate-based-statement-managed-keys --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>\
 --web-acl-name <value> --web-acl-id <value> --rule-name <value> [--rule-group-rule-name <value>]

# Regex pattern sets #

## List all the regex pattern sets that you manage
aws wafv2 list-regex-pattern-sets --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieves the specified regex pattern sets
aws wafv2 get-regex-pattern-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

# API Keys #

## List API keys for the specified scope
aws wafv2 list-api-keys --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve decrypted API key
aws wafv2 get-decrypted-api-key --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --api-key <value>

# Logs #

## List of logging configurations (storage location of the logs)
aws wafv2 list-logging-configurations --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--log-scope <value>]
## Retrieve the logging configuration settings associated with a specific web ACL 
aws wafv2 get-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]

# Miscelaneous #

## Retrieve a list of the tags associated to the specified resource
aws wafv2 list-tags-for-resource resource-arn <value>

## Retrieve a sample of web requests that match a specified rule within a WebACL during a specified time range
aws wafv2 get-sampled-requests --web-acl-arn <value> --rule-metric-name <value> --time-window <value> --max-items <1-500> --scope <value> 

## Obtains the web ACL capacity unit (WCU) requirements for a specified scope and ruleset
aws wafv2 check-capacity --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --rules <value>

## List of available releases for the AWS WAFv2 mobile SDK
aws wafv2 list-mobile-sdk-releases --platform <IOS | ANDROID>
## Retrieves information for the specified mobile SDK release
aws wafv2 get-mobile-sdk-release --platform <value> --release-version <value>

Post Exploitation / Bypass

From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs.

However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF.

In many of the Delete and Update operations it would be necessary to provide the lock token. This token is used for concurrency control over the resources, ensuring that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. In order to obtain this token you could perform the correspondent list or get operations over the specific resource.

wafv2:CreateRuleGroup, wafv2:UpdateRuleGroup, wafv2:DeleteRuleGroup

An attacker would be able to compromise the security of the affected resource by:

  • Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service.

  • Updating rule groups, being able to modify its actions for example from Block to Allow.

  • Deleting rule groups that provide critical security measures.

# Create Rule Group
aws wafv2 create-rule-group --name <value> --capacity <value> --visibility-config <value> \
--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
# Update Rule Group
aws wafv2 update-rule-group --name <value> --id <value> --visibility-config <value> --lock-token <value>\
 --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
# Delete Rule Group
aws wafv2 delete-rule-group --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

The following examples shows a rule group that would block legitimate traffic from specific IP addresses:

aws wafv2 create-rule-group --name BlockLegitimateIPsRuleGroup --capacity 1 --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=BlockLegitimateIPsRuleGroup --scope CLOUDFRONT --region us-east-1 --rules file://rule.json

The rule.json file would look like:

[
    {
        "Name":"BlockLegitimateIPsRule",
        "Priority":0,
        "Statement": {
                "IPSetReferenceStatement": {
                    "ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
                }
            },
        "Action":{
            "Block":{}
        },
        "VisibilityConfig":{
            "SampledRequestsEnabled":false,
            "CloudWatchMetricsEnabled":false,
            "MetricName":"BlockLegitimateIPsRule"
        }
    }
]

Potential Impact: Unauthorized access, data breaches, and potential DoS attacks.

wafv2:CreateWebACL, wafv2:UpdateWebACL, wafv2:DeleteWebACL

With these permissions, an attacker would be able to:

  • Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service.

  • Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests.

  • Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks.

You can only delete the specified WebACL if ManagedByFirewallManager is false.

# Create Web ACL
aws wafv2 create-web-acl --name <value> --default-action <value> --visibility-config <value> \
--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--captcha-config <value>] [--description <value>]
# Update Web ACL
aws wafv2 update-web-acl --name <value> --id <value> --default-action <value> --visibility-config <value> --lock-token <value>\
--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--captcha-config <value>] [--description <value>]
# Delete Web ACL
aws wafv2 delete-web-acl --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

The following examples shows how to update a Web ACL to block the legitimate traffic from a specific IP set. If the origin IP does not match any of those IPs, the default action would also be blocking it, causing a DoS.

Original Web ACL:

{
    "WebACL": {
        "Name": "AllowLegitimateIPsWebACL",
        "Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
        "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
        "DefaultAction": {
            "Allow": {}
        },
        "Description": "",
        "Rules": [
            {
                "Name": "AllowLegitimateIPsRule",
                "Priority": 0,
                "Statement": {
                    "IPSetReferenceStatement": {
                        "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
                    }
                },
                "Action": {
                    "Allow": {}
                },
                "VisibilityConfig": {
                    "SampledRequestsEnabled": false,
                    "CloudWatchMetricsEnabled": false,
                    "MetricName": "AllowLegitimateIPsRule"
                }
            }
        ],
        "VisibilityConfig": {
            "SampledRequestsEnabled": false,
            "CloudWatchMetricsEnabled": false,
            "MetricName": "AllowLegitimateIPsWebACL"
        },
        "Capacity": 1,
        "ManagedByFirewallManager": false,
        "LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:"
    },
    "LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
}

Command to update the Web ACL:

aws wafv2 update-web-acl --name AllowLegitimateIPsWebACL --scope REGIONAL --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --default-action Block={} --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=AllowLegitimateIPsWebACL --rules file://rule.json --region us-east-1

The rule.json file would look like:

[
    {
        "Name": "BlockLegitimateIPsRule",
        "Priority": 0,
        "Statement": {
            "IPSetReferenceStatement": {
                "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
            }
        },
        "Action": {
            "Block": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": false,
            "CloudWatchMetricsEnabled": false,
            "MetricName": "BlockLegitimateIPRule"
        }
    }
]

Potential Impact: Unauthorized access, data breaches, and potential DoS attacks.

wafv2:AssociateWebACL, wafv2:DisassociateWebACL

The wafv2:AssociateWebACL permission would allow an attacker to associate web ACLs (Access Control Lists) with resources, being able to bypass security controls, allowing unauthorized traffic to reach the application, potentially leading to exploits like SQL injection or cross-site scripting (XSS). Conversely, with the wafv2:DisassociateWebACL permission, the attacker could temporarily disable security protections, exposing the resources to vulnerabilities without detection.

The additional permissions would be needed depending on the protected resource type:

  • Associate

    • apigateway:SetWebACL

    • apprunner:AssociateWebAcl

    • appsync:SetWebACL

    • cognito-idp:AssociateWebACL

    • ec2:AssociateVerifiedAccessInstanceWebAcl

    • elasticloadbalancing:SetWebAcl

  • Disassociate

    • apigateway:SetWebACL

    • apprunner:DisassociateWebAcl

    • appsync:SetWebACL

    • cognito-idp:DisassociateWebACL

    • ec2:DisassociateVerifiedAccessInstanceWebAcl

    • elasticloadbalancing:SetWebAcl

# Associate
aws wafv2 associate-web-acl --web-acl-arn <value> --resource-arn <value>
# Disassociate
aws wafv2 disassociate-web-acl --resource-arn <value>

Potential Impact: Compromised resources security, increased risk of exploitation, and potential service disruptions within AWS environments protected by AWS WAF.

wafv2:CreateIPSet , wafv2:UpdateIPSet, wafv2:DeleteIPSet

An attacker would be able to create, update and delete the IP sets managed by AWS WAF. This could be dangerous since could create new IP sets to allow malicious traffic, modify IP sets in order to block legitimate traffic, update existing IP sets to include malicious IP addresses, remove trusted IP addresses or delete critical IP sets that are meant to protect critical resources.

# Create IP set
aws wafv2 create-ip-set --name <value> --ip-address-version <IPV4 | IPV6> --addresses <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# Update IP set
aws wafv2 update-ip-set --name <value> --id <value> --addresses <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# Delete IP set
aws wafv2 delete-ip-set --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> 

The following example shows how to overwrite the existing IP set by the desired IP set:

aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1 

Potential Impact: Unauthorized access and block of legitimate traffic.

wafv2:CreateRegexPatternSet , wafv2:UpdateRegexPatternSet, wafv2:DeleteRegexPatternSet

An attacker with these permissions would be able to manipulate the regular expression pattern sets used by AWS WAF to control and filter incoming traffic based on specific patterns.

  • Creating new regex patterns would help an attacker to allow harmful content

  • Updating the existing patterns, an attacker would to bypass security rules

  • Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures.

# Create regex pattern set
aws wafv2 create-regex-pattern-set --name <value> --regular-expression-list <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--description <value>] 
# Update regex pattern set
aws wafv2 update-regex-pattern-set --name <value> --id <value> --regular-expression-list <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# Delete regex pattern set
aws wafv2 delete-regex-pattern-set --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --id <value> --lock-token <value>

Potential Impact: Bypass security controls, allowing malicious content and potentially exposing sensitive data or disrupting services and resources protected by AWS WAF.

(wavf2:PutLoggingConfiguration & iam:CreateServiceLinkedRole), wafv2:DeleteLoggingConfiguration

An attacker with the wafv2:DeleteLoggingConfiguration would be able to remove the logging configuration from the specified Web ACL. Subsequently, with the wavf2:PutLoggingConfiguration and iam:CreateServiceLinkedRole permissions, an attacker could create or replace logging configurations (after having deleted it) to either prevent logging altogether or redirect logs to unauthorized destinations, such as Amazon S3 buckets, Amazon CloudWatch Logs log group or an Amazon Kinesis Data Firehose under control.

During the creation process, the service automatically sets up the necessary permissions to allow logs to be written to the specified logging destination:

  • Amazon CloudWatch Logs: AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group.

  • Amazon S3 Bucket: AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket.

  • Amazon Kinesis Data Firehose: AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream.

It is possible to define only one logging destination per web ACL.

# Put logging configuration
aws wafv2 put-logging-configuration --logging-configuration <value>
# Delete logging configuration
aws wafv2 delete-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]

Potential Impact: Obscure visibility into security events, difficult the incident response process, and facilitate covert malicious activities within AWS WAF-protected environments.

wafv2:DeleteAPIKey

An attacker with this permissions would be able to delete existing API keys, rendering the CAPTCHA ineffective and disrupting the functionality that relies on it, such as form submissions and access controls. Depending on the implementation of this CAPTCHA, this could lead either to a CAPTCHA bypass or to a DoS if the error management is not properly set in the resource.

# Delete API key
aws wafv2 delete-api-key --api-key <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> 

Potential Impact: Disable CAPTCHA protections or disrupt application functionality, leading to security breaches and potential data theft.

wafv2:TagResource, wafv2:UntagResource

An attacker would be able to add, modify, or remove tags from AWS WAFv2 resources, such as Web ACLs, rule groups, IP sets, regex pattern sets, and logging configurations.

# Tag
aws wafv2 tag-resource --resource-arn <value> --tags <value>
# Untag
aws wafv2 untag-resource --resource-arn <value> --tag-keys <value>

Potential Impact: Resource tampering, information leakage, cost manipulation and operational disruption.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated