AWS - WAF Enum

AWS WAF

AWS WAF is a web application firewall designed to safeguard web applications or APIs against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up security rules that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules.

Monitoring Criteria (Conditions)

Conditions specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that requests restricted at the CloudFront level based on country won't reach WAF.

Each AWS account can configure:

• 100 conditions for each type (except for Regex, where only 10 conditions are allowed, but this limit can be increased).

• 100 rules and 50 Web ACLs.

• A maximum of 5 rate-based rules.

• A throughput of 10,000 requests per second when WAF is implemented with an application load balancer.

Rule Configuration

Rules are crafted using the specified conditions. For instance, a rule might block a request if it meets 2 specific conditions. There are two types of rules:

1. Regular Rule: Standard rule based on specified conditions.

2. Rate-Based Rule: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is 2000 requests.

Actions

Actions are assigned to each rule, with options being Allow, Block, or Count:

• Allow: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer.

• Block: The request is terminated immediately.

• Count: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block.

If a request doesn't match any rule within the Web ACL, it undergoes the default action (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence:

1. Allow Whitelisted IPs.

2. Block Blacklisted IPs.

3. Block requests matching any detrimental signatures.

CloudWatch Integration

AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks.

Enumeration

scope can also be CLOUDFRONT, but when checking for a WAF not related to CLoudfront you need to use REGIONAL.

# Get web acls
aws wafv2 list-web-acls --scope REGIONAL
aws wafv2 get-web-acl --scope REGIONAL --name <name> --id <id>
aws wafv2 list-resources-for-web-acl --web-acl-arn <web-acl-arn> #Resources associated with the ACL
aws wafv2 get-web-acl-for-resource --resource-arn <arn> # Get web acl of the resource

# Rule groups
aws wafv2 list-rule-groups --scope REGIONAL
aws wafv2 get-rule-group --scope REGIONAL --name <name> --id <id>

# Get IP sets
aws wafv2 list-ip-sets --scope=REGIONAL
aws wafv2 get-ip-set --scope=REGIONAL --name <name> --id <id>

# Get regex patterns
aws wafv2 list-regex-pattern-sets --scope REGIONAL

# Get logging config (buckets storing the logs)
aws wafv2 list-logging-configurations --scope=REGIONAL

Post Exploitation / Bypass

TODO: PRs are welcome

References

• https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application.