Google WAF bypassed via oversized POST requests


Security limitations in the default protection offered by Google’s web application firewall (WAF) make it possible to bypass the company’s cloud-based defenses.

Researchers at security consultancy Kloudle found they were able to bypass both Google Cloud Platform (GCP) and Amazon Web Services (AWS) web app firewalls just by making a POST request more than 8KB in size.

“The default behavior of Cloud Armor in this case can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle.

Read more…