Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
AWS WAF is a web application firewall designed to safeguard web applications or APIs against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up security rules that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules.
A Web ACL is a collection of rules that you can apply to your web applications or APIs. When you associate a Web ACL with a resource, AWS WAF inspects incoming requests based on the rules defined in the Web ACL and takes the specified actions.
A Rule Group is a reusable collection of rules that you can apply to multiple Web ACLs. Rule groups help manage and maintain consistent rule sets across different web applications or APIs.
Each rule group has its associated capacity, which helps to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. Once its value is set during creation, it is not possible to modify it.
A rule defines a set of conditions that AWS WAF uses to inspect incoming web requests. There are two main types of rules:
Regular Rule: This rule type uses specified conditions to determine whether to allow, block, or count web requests.
Rate-Based Rule: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is 2000 requests.
AWS WAF offers pre-configured, managed rule sets that are maintained by AWS and AWS Marketplace sellers. These rule sets provide protection against common threats and are regularly updated to address new vulnerabilities.
An IP Set is a list of IP addresses or IP address ranges that you want to allow or block. IP sets simplify the process of managing IP-based rules.
A Regex Pattern Set contains one or more regular expressions (regex) that define patterns to search for in web requests. This is useful for more complex matching scenarios, such as filtering specific sequences of characters.
A Lock Token is used for concurrency control when making updates to WAF resources. It ensures that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously.
API Keys in AWS WAF are used to authenticate requests to certain API operations. These keys are encrypted and managed securely to control access and ensure that only authorized users can make changes to WAF configurations.
Example: Integration of the CAPTCHA API.
A Permission Policy is an IAM policy that specifies who can perform actions on AWS WAF resources. By defining permissions, you can control access to WAF resources and ensure that only authorized users can create, update, or delete configurations.
The scope parameter in AWS WAF specifies whether the WAF rules and configurations apply to a regional application or an Amazon CloudFront distribution.
REGIONAL: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located.
CLOUDFRONT: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the us-east-1 region regardless of where the content is served.
Conditions specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that requests restricted at the CloudFront level based on country won't reach WAF.
Each AWS account can configure:
100 conditions for each type (except for Regex, where only 10 conditions are allowed, but this limit can be increased).
100 rules and 50 Web ACLs.
A maximum of 5 rate-based rules.
A throughput of 10,000 requests per second when WAF is implemented with an application load balancer.
Actions are assigned to each rule, with options being:
Allow: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer.
Block: The request is terminated immediately.
Count: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block.
CAPTCHA and Challenge: It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges.
If a request doesn't match any rule within the Web ACL, it undergoes the default action (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence:
Allow Whitelisted IPs.
Block Blacklisted IPs.
Block requests matching any detrimental signatures.
AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks.
In order to interact with CloudFront distributions, you must specify the Region US East (N. Virginia):
CLI - Specify the Region US East when you use the CloudFront scope: --scope CLOUDFRONT --region=us-east-1 .
API and SDKs - For all calls, use the Region endpoint us-east-1.
In order to interact with regional services, you should specify the region:
Example with the region Europe (Spain): --scope REGIONAL --region=eu-south-2
From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs.
However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF.
In many of the Delete and Update operations it would be necessary to provide the lock token. This token is used for concurrency control over the resources, ensuring that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. In order to obtain this token you could perform the correspondent list or get operations over the specific resource.
wafv2:CreateRuleGroup, wafv2:UpdateRuleGroup, wafv2:DeleteRuleGroupAn attacker would be able to compromise the security of the affected resource by:
Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service.
Updating rule groups, being able to modify its actions for example from Block to Allow.
Deleting rule groups that provide critical security measures.
The following examples shows a rule group that would block legitimate traffic from specific IP addresses:
The rule.json file would look like:
Potential Impact: Unauthorized access, data breaches, and potential DoS attacks.
wafv2:CreateWebACL, wafv2:UpdateWebACL, wafv2:DeleteWebACLWith these permissions, an attacker would be able to:
Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service.
Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests.
Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks.
You can only delete the specified WebACL if ManagedByFirewallManager is false.
The following examples shows how to update a Web ACL to block the legitimate traffic from a specific IP set. If the origin IP does not match any of those IPs, the default action would also be blocking it, causing a DoS.
Original Web ACL:
Command to update the Web ACL:
The rule.json file would look like:
Potential Impact: Unauthorized access, data breaches, and potential DoS attacks.
wafv2:AssociateWebACL, wafv2:DisassociateWebACLThe wafv2:AssociateWebACL permission would allow an attacker to associate web ACLs (Access Control Lists) with resources, being able to bypass security controls, allowing unauthorized traffic to reach the application, potentially leading to exploits like SQL injection or cross-site scripting (XSS). Conversely, with the wafv2:DisassociateWebACL permission, the attacker could temporarily disable security protections, exposing the resources to vulnerabilities without detection.
The additional permissions would be needed depending on the protected resource type:
Associate
apigateway:SetWebACL
apprunner:AssociateWebAcl
appsync:SetWebACL
cognito-idp:AssociateWebACL
ec2:AssociateVerifiedAccessInstanceWebAcl
elasticloadbalancing:SetWebAcl
Disassociate
apigateway:SetWebACL
apprunner:DisassociateWebAcl
appsync:SetWebACL
cognito-idp:DisassociateWebACL
ec2:DisassociateVerifiedAccessInstanceWebAcl
elasticloadbalancing:SetWebAcl
Potential Impact: Compromised resources security, increased risk of exploitation, and potential service disruptions within AWS environments protected by AWS WAF.
wafv2:CreateIPSet , wafv2:UpdateIPSet, wafv2:DeleteIPSetAn attacker would be able to create, update and delete the IP sets managed by AWS WAF. This could be dangerous since could create new IP sets to allow malicious traffic, modify IP sets in order to block legitimate traffic, update existing IP sets to include malicious IP addresses, remove trusted IP addresses or delete critical IP sets that are meant to protect critical resources.
The following example shows how to overwrite the existing IP set by the desired IP set:
Potential Impact: Unauthorized access and block of legitimate traffic.
wafv2:CreateRegexPatternSet , wafv2:UpdateRegexPatternSet, wafv2:DeleteRegexPatternSetAn attacker with these permissions would be able to manipulate the regular expression pattern sets used by AWS WAF to control and filter incoming traffic based on specific patterns.
Creating new regex patterns would help an attacker to allow harmful content
Updating the existing patterns, an attacker would to bypass security rules
Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures.
Potential Impact: Bypass security controls, allowing malicious content and potentially exposing sensitive data or disrupting services and resources protected by AWS WAF.
wavf2:PutLoggingConfiguration & iam:CreateServiceLinkedRole), wafv2:DeleteLoggingConfigurationAn attacker with the wafv2:DeleteLoggingConfiguration would be able to remove the logging configuration from the specified Web ACL. Subsequently, with the wavf2:PutLoggingConfiguration and iam:CreateServiceLinkedRole permissions, an attacker could create or replace logging configurations (after having deleted it) to either prevent logging altogether or redirect logs to unauthorized destinations, such as Amazon S3 buckets, Amazon CloudWatch Logs log group or an Amazon Kinesis Data Firehose under control.
During the creation process, the service automatically sets up the necessary permissions to allow logs to be written to the specified logging destination:
Amazon CloudWatch Logs: AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group.
Amazon S3 Bucket: AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket.
Amazon Kinesis Data Firehose: AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream.
It is possible to define only one logging destination per web ACL.
Potential Impact: Obscure visibility into security events, difficult the incident response process, and facilitate covert malicious activities within AWS WAF-protected environments.
wafv2:DeleteAPIKeyAn attacker with this permissions would be able to delete existing API keys, rendering the CAPTCHA ineffective and disrupting the functionality that relies on it, such as form submissions and access controls. Depending on the implementation of this CAPTCHA, this could lead either to a CAPTCHA bypass or to a DoS if the error management is not properly set in the resource.
Potential Impact: Disable CAPTCHA protections or disrupt application functionality, leading to security breaches and potential data theft.
wafv2:TagResource, wafv2:UntagResourceAn attacker would be able to add, modify, or remove tags from AWS WAFv2 resources, such as Web ACLs, rule groups, IP sets, regex pattern sets, and logging configurations.
Potential Impact: Resource tampering, information leakage, cost manipulation and operational disruption.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
