It is possible to circumvent Google's cloud-based defences due to security flaws in the default protection offered by the company's web application firewall (WAF).
Researchers from security firm Kloudle discovered that by sending a POST request larger than 8KB, they were able to get beyond the web app firewalls on both Google Cloud Platform (GCP) and Amazon Web Services (AWS).
“The default behaviour of Cloud Armor, in this case, can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle.
"This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.”
Even if an underlying application is still susceptible, WAFs are designed to guard against web-based attacks like SQL Injection and cross-site scripting.
If a targeted endpoint accepts HTTP POST requests "in a manner that could trigger an underlying vulnerability," bypassing this safeguard would bring a potential attacker one step closer to attacking a web-hosted application.
Kloudle explains in a technical blog post,“This issue can be exploited by crafting an HTTP POST request with a body size exceeding the 8KB size limitation of Cloud Armor, where the payload appears after the 8192th byte/character in the request body."
Google's Cloud Armor WAF comes with a collection of predefined firewall rules based on the OWASP ModSecurity Core Rule Set, which is open source.
The possible attack vector can be blocked by setting a custom Cloud Armor rule to block HTTP requests with request bodies larger than 8192 bytes - a general rule that can be customised to accommodate defined exceptions.
Even though AWS' WAF has similar issues, Kloudle faulted GCP for neglecting to notify customers about the problem. According to the researchers, other cloud-based WAFs have comparable drawbacks.
Kloudle told The Daily Swig: “This is part of ongoing work… so far, we have seen request body limitations with Cloudflare, Azure, and Akamai as well. Some have 8KB and others extend to 128KB.”
In response to questions from The Daily Swig, a Google spokesperson stated that the 8KB restriction is stated in the company's documentation.
Kloudle's representative expressed concern over security and functionality.
The representative explained, “Perimeter security software is hard. I suspect in this case 8KB limit allows them to reliably process other WAF rules. They could be doing more for developer awareness, including adding that rule by default with the option to disable in case someone wants to. As per the shared security responsibility model they put the onus on the end-user to use the service securely.”
Kloudle's representative expressed sympathy for the security and functionality trade-offs that cloud providers must make but suggested to The Daily Swig that cloud providers could do more to educate consumers about the issue.