AWS - WAF Enum
AWS - WAF Enum
AWS WAF
AWS WAF is a web application firewall designed to safeguard web applications or APIs against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up security rules that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules.
Monitoring Criteria (Conditions)
Conditions specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that requests restricted at the CloudFront level based on country won't reach WAF.
Each AWS account can configure:
100 conditions for each type (except for Regex, where only 10 conditions are allowed, but this limit can be increased).
100 rules and 50 Web ACLs.
A maximum of 5 rate-based rules.
A throughput of 10,000 requests per second when WAF is implemented with an application load balancer.
Rule Configuration
Rules are crafted using the specified conditions. For instance, a rule might block a request if it meets 2 specific conditions. There are two types of rules:
Regular Rule: Standard rule based on specified conditions.
Rate-Based Rule: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is 2000 requests.
Actions
Actions are assigned to each rule, with options being Allow, Block, or Count:
Allow: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer.
Block: The request is terminated immediately.
Count: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block.
If a request doesn't match any rule within the Web ACL, it undergoes the default action (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence:
Allow Whitelisted IPs.
Block Blacklisted IPs.
Block requests matching any detrimental signatures.
CloudWatch Integration
AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks.
Enumeration
scope can also be CLOUDFRONT, but when checking for a WAF not related to CLoudfront you need to use REGIONAL.
Post Exploitation / Bypass
From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs.
However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF.
TODO: PRs are welcome
References
https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application.
Last updated