为了与 CloudFront 分发进行交互,您必须指定区域 US East (N. Virginia):
CLI - 在使用 CloudFront 范围时指定区域 US East:--scope CLOUDFRONT --region=us-east-1。
API 和 SDK - 对于所有调用,使用区域端点 us-east-1。
为了与区域服务进行交互,您应指定区域:
以区域欧洲(西班牙)为例:--scope REGIONAL --region=eu-south-2
# Web ACLs ### Retrieve a list of web access control lists (Web ACLs) available in your AWS accountawswafv2list-web-acls--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve details about the specified Web ACLawswafv2get-web-acl--name<value>--id<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve a list of resources associated with a specific web access control list (Web ACL)awswafv2list-resources-for-web-acl--web-acl-arn<value># Additional permissions needed depending on the protected resource type: cognito-idp:ListResourcesForWebACL, ec2:DescribeVerifiedAccessInstanceWebAclAssociations or apprunner:ListAssociatedServicesForWebAcl## Retrieve the Web ACL associated with the specified AWS resourceawswafv2get-web-acl-for-resource--resource-arn<arn># Additional permissions needed depending on the protected resource type: cognito-idp:GetWebACLForResource, ec2:GetVerifiedAccessInstanceWebAcl, wafv2:GetWebACL or apprunner:DescribeWebAclForService# Rule groups ### List of the rule groups available in your AWS accountawswafv2list-rule-groups--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve the details of a specific rule groupawswafv2get-rule-group [--name <value>] [--id <value>] [--arn <value>] [--scope <REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>]## Retrieve the IAM policy attached to the specified rule groupawswafv2get-permission-policy--resource-arn<rule-group-arn># Just the owner of the Rule Group can do this operation# Managed rule groups (by AWS or by a third-party) ### List the managed rule groups that are availableawswafv2list-available-managed-rule-groups--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## List the available versions of the specified managed rule groupawswafv2list-available-managed-rule-group-versions--vendor-name<value>--name<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve high-level information about a specific managed rule groupawswafv2describe-managed-rule-group--vendor-name<value>--name<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1> [--version-name <value>]## Retrieve high-level information about all managed rule groupsawswafv2describe-all-managed-products--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve high-level information about all managed rule groups from a specific vendorawswafv2describe-managed-products-by-vendor--vendor-name<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1># IP sets ### List the IP sets that are available in your AWS accountawswafv2list-ip-sets--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve the specific IP setawswafv2get-ip-set--name<value>--id<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve the keys that are currently being managed by a rate-based rule.awswafv2get-rate-based-statement-managed-keys--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>\--web-acl-name<value>--web-acl-id<value>--rule-name<value> [--rule-group-rule-name <value>]# Regex pattern sets ### List all the regex pattern sets that you manageawswafv2list-regex-pattern-sets--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieves the specified regex pattern setsawswafv2get-regex-pattern-set--name<value>--id<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1># API Keys ### List API keys for the specified scopeawswafv2list-api-keys--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve decrypted API keyawswafv2get-decrypted-api-key--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>--api-key<value># Logs ### List of logging configurations (storage location of the logs)awswafv2list-logging-configurations--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1> [--log-scope <value>]## Retrieve the logging configuration settings associated with a specific web ACLawswafv2get-logging-configuration--resource-arn<value> [--log-scope <CUSTOMER|SECURITY_LAKE>] [--log-type <value>]# Miscelaneous ### Retrieve a list of the tags associated to the specified resourceawswafv2list-tags-for-resourceresource-arn<value>## Retrieve a sample of web requests that match a specified rule within a WebACL during a specified time rangeawswafv2get-sampled-requests--web-acl-arn<value>--rule-metric-name<value>--time-window<value>--max-items<1-500>--scope<value>## Obtains the web ACL capacity unit (WCU) requirements for a specified scope and rulesetawswafv2check-capacity--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>--rules<value>## List of available releases for the AWS WAFv2 mobile SDKawswafv2list-mobile-sdk-releases--platform<IOS|ANDROID>## Retrieves information for the specified mobile SDK releaseawswafv2get-mobile-sdk-release--platform<value>--release-version<value>
Post Exploitation / Bypass
从攻击者的角度来看,这项服务可以帮助攻击者识别 WAF 保护和网络暴露,这可能帮助他攻陷其他网站。
然而,攻击者也可能对干扰此服务感兴趣,以便网站不受 WAF 保护。
在许多删除和更新操作中,必须提供 lock token。此令牌用于对资源进行并发控制,确保更改不会被多个用户或进程意外覆盖,这些用户或进程试图同时更新同一资源。为了获得此令牌,您可以对特定资源执行相应的 list 或 get 操作。
攻击者将能够创建、更新和删除由 AWS WAF 管理的 IP 集。这可能是危险的,因为攻击者可以创建新的 IP 集以允许恶意流量,修改 IP 集以阻止合法流量,更新现有 IP 集以包含恶意 IP 地址,移除受信任的 IP 地址或删除旨在保护关键资源的关键 IP 集。
# Create IP setawswafv2create-ip-set--name<value>--ip-address-version<IPV4|IPV6> --addresses<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1># Update IP setawswafv2update-ip-set--name<value>--id<value>--addresses<value>--lock-token<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1># Delete IP setawswafv2delete-ip-set--name<value>--id<value>--lock-token<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>
