Table of Contents
- 1. Introduction
- 2. JSON data used in the study
- 3. Rule conditions used in the study
- 4. Results
- 5. Conclusion
1. Introduction
Recently, research on bypassing AWS WAF has been increasing and on July 26th, 2023, a post about bypassing JSON body inspecting rules on AWS WAF was published.
AWS WAF Bypass: invalid JSON object and unicode escape sequences
In this blog post, we are going to take a look at some of the requests and its detection status.
Please refer to the blog post below for how to create rules that inspect JSON body.
How to specify keys and values of JSON format request body to match on AWS WAF
2. JSON data used in the study
In the post above, they explained that the rules can be bypassed when there are duplicate keys in JSON data. In this test, we will use the JSON data that are specified in the AWS document as data that can be parsed by AWS WAF as valid key-value pair in addition to dupilicate keys.
1. Missing comma:
{"key1":"value1""key2":"value2"}
2. Missing colon:
{"key1":"value1","key2""value2"}
3. Extra colon:
{"key1"::"value1","key2":"value2"}
4. Extra and missing colon:
{"key1"::"value1","key2""value2"}
5. Duplicate keys:
{"key1":"value1","key1":"value2"}
*In the AWS document, missing colon's data was specified as {"key1"::"value1","key2""value2"}
, so we are going to use both "3. Extra colon" and "4. Extra and missing colon".
3. Rule conditions used in the study
We used the rule conditions listed below in the test. When a request matches the rule, the request will be blocked.
Please keep in mind that when inspecting JSON body, you must select [Body] for [Inspect] field and choose [JSON] for [Content type]. For more details on the conditions, refer to the AWS document below.
Request component options (JSON body)
Rule 1. Contains "value1" in the value:
JSON match scope: All
How AWS WAF should handle the request if the JSON in the request body is invalid: None
Content to inspect: Full JSON content
Match type: Contains string
String to match: value1
Rule 2. Contains "value2" in the value:
JSON match scope: All
How AWS WAF should handle the request if the JSON in the request body is invalid: None
Content to inspect: Full
Match type: Contains string
String to match: value2
Rule 3. Only inspect the key "key1" and the value size is greater than 0:
JSON match scope: All
How AWS WAF should handle the request if the JSON in the request body is invalid: None
Content to inspect: Only included elements
Included elements: /key1
Match type: Size greater than
Size in bytes: 0
Rule 4. Contains "value2" in the value and matches when the JSON format is invalid:
JSON match scope: All
How AWS WAF should handle the request if the JSON in the request body is invalid: Match
Content to inspect: Full
Match type: Contains string
String to match: value2
Key points of these rules are that the option [How AWS WAF should handle the request if the JSON in the request body is invalid] is set to [None] in Rule 1 to Rule 3. This means that the content of the body will be inspected until there is a parse error.
Rule 1 and Rule 2 has different strings to match, and in Rule 3 the content to inspect is specified as key and value has to be greater than 0 to match.
For Rule 4, the option [How AWS WAF should handle the request if the JSON in the request body is invalid] is set to [Match]. If the JSON body cannot be parsed, then the rule matches to the request. The rest of the conditions are the same as Rule 2.
4. Results
The results are as below.
Rules | 1. Missing comma | 2. Missing colon | 3. Extra colon | 4. Extra and missing colon | 5. Duplicate keys |
---|---|---|---|---|---|
Rule 1. Contains "value1" in the value | Not detected | Detected | Detected | Detected | Detected |
Rule 2. Contains "value2" in the value | Not detected | Detected | Detected | Detected | Not detected |
Rule 3. Only inspect the key "key1" and the value size is greater than 0 | Not detected | Detected | Detected | Detected | Detected |
Rule 4. Contains "value2" in the value and matches when the JSON format is invalid | Detected | Detected | Detected | Detected | Detected |
The main takeaways from the results above are:
-
1. AWS WAF will do its best to try and parse JSON data as valid key-value pair even if the formats are invalid
Missing colon or duplicate keys are commonly considered invalid formats, but as stated in the AWS document, AWS WAF will parse some of the JSON strings as valid key-value pairs.
-
2. However, it seems like "missing comma" cannot be parsed properly in this study
Missing comma was listed as one of valid key-value pairs in AWS document, but in this study the missing comma cases did not get detected as expected regardless of inspected content. Missing comma is a case to be cautious of when creating a rule.
-
3. When the same keys are used in the JSON data, any key-value pairs that appear after the dupilicate key will not be inspected
The duplicate keys explained in the post introduced in the beginning was not detected with Rule 2. Because the keys were the same, we believe the second key-value pair
"key1":"value2"
couldn't be inspected and didn't match the rule.
5. Conclusion
As a result of the test, we can see that the rules that inspect JSON body is a unique statement, and may return unexpected results depending on the format of the JSON data.
You may need to be cautious when creating rules to inspect JSON body.
Although the way rules work will depend on AWS WAF specifications, you can also consider to use [Match] option and block any requests containing invalid JSON format.
Using rule action COUNT will let you grasp the detection status, so we recommend you to throughly read the AWS document and test the conditions before implementing the rules.