From 8b387fc9feef423f262b32d039d6702dd33d648b Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Tue, 26 Dec 2023 13:42:53 +0200 Subject: [PATCH 1/3] Delete vulnerabilities/azure-waf-bypass.yaml --- vulnerabilities/azure-waf-bypass.yaml | 31 --------------------------- 1 file changed, 31 deletions(-) delete mode 100644 vulnerabilities/azure-waf-bypass.yaml diff --git a/vulnerabilities/azure-waf-bypass.yaml b/vulnerabilities/azure-waf-bypass.yaml deleted file mode 100644 index a66e745..0000000 --- a/vulnerabilities/azure-waf-bypass.yaml +++ /dev/null @@ -1,31 +0,0 @@ -title: Azure WAF managed rule set globbing pattern bypass -slug: azure-waf-bypass -cves: null -affectedPlatforms: -- Azure -affectedServices: -- Azure WAF -image: https://images.pexels.com/photos/1662298/pexels-photo-1662298.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=2 -severity: Medium -discoveredBy: - name: Divyanshu Shukla - org: null - domain: https://justm0rph3u5.medium.com - twitter: justm0rph3u5 -publishedAt: 2022/07/01 -disclosedAt: 2021/06/24 -exploitabilityPeriod: until July 16th, 2021 -knownITWExploitation: false -summary: | - Azure Web Application Firewall (WAF) with OWASP 3.2 managed rule set and below was - vulnerable to command injection bypass using globbing patterns (incorporating the - wildcard "?" in command syntax). For example, while attempting access to "/etc/passwd" - would be blocked, a command targeting "/et?/passwo?d" would be allowed. -manualRemediation: | - None required -detectionMethods: null -contributor: https://github.com/justmorpheus -references: -- https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 -- https://medium.com/bugbountywriteup/module-1-introduction-pentesting-bypassing-cloud-waf-fun-profit-75f315951aa8 -- https://twitter.com/justm0rph3u5/status/1542943538857799680 From 02fdba631fda1d7eb5088cbd575992a6b90c5d98 Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Tue, 26 Dec 2023 13:43:57 +0200 Subject: [PATCH 2/3] Delete vulnerabilities/aws-waf-sql-injection.yaml --- vulnerabilities/aws-waf-sql-injection.yaml | 29 ---------------------- 1 file changed, 29 deletions(-) delete mode 100644 vulnerabilities/aws-waf-sql-injection.yaml diff --git a/vulnerabilities/aws-waf-sql-injection.yaml b/vulnerabilities/aws-waf-sql-injection.yaml deleted file mode 100644 index c93b161..0000000 --- a/vulnerabilities/aws-waf-sql-injection.yaml +++ /dev/null @@ -1,29 +0,0 @@ -title: AWS WAF configuration allows SQL injection -slug: aws-waf-sql-injection -cves: null -affectedPlatforms: -- AWS -affectedServices: -- AWS WAF -image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/aws-wafs-dangerous-defaults.jpg -severity: Medium -discoveredBy: - name: Osama Elnaggar - org: null - domain: https://osamaelnaggar.com/ - twitter: https://twitter.com/securityfu -publishedAt: 2021/10/03 -disclosedAt: 2021/09/03 -exploitabilityPeriod: null -knownITWExploitation: false -summary: | - AWS WAF using the Core Rules set allowed SQL injection. In AWS WAF only the first 8 KB (8,192 bytes) of the request body are forwarded to AWS WAF for inspection, but AWS Managed rules allowed requests up to 10 KB. - An attacker could send a request larger than 8 KB but smaller than 10 KB, with a malicious payload located after the first 8,192 bytes, and thereby pass the WAFs inspection. - To fix this issue, AWS reduced the request size limit to 8 KB. -manualRemediation: | - None required -detectionMethods: null -contributor: https://github.com/mer-b -references: -- https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/ -- https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html From 9fd9a666930333bd2c9a795c8d47fe60342c58fe Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Tue, 26 Dec 2023 13:47:08 +0200 Subject: [PATCH 3/3] Update about.md --- pages/about.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pages/about.md b/pages/about.md index 000b119..5660597 100644 --- a/pages/about.md +++ b/pages/about.md @@ -17,12 +17,14 @@ We define the following criteria for inclusion in this database: 4. And required remediation actions on either side of the shared responsibility model. Examples include: -- Security issues in default misconfigurations +- Security issues affecting CSP-managed services +- Default misconfigurations of CSP-managed services - Vulnerabilities in CSP-provided client software We consider the following cases to be out of scope of this project: - Cloud vulnerabilities or security issues about which there is no publicly available information - CSP customer security incidents +- WAF bypass vulnerabilities ### History This project was built on the foundations of [Scott Piper](https://twitter.com/0xdabbad00)’s [“Cloud Service Provider security mistakes”](https://github.com/SummitRoute/csp_security_mistakes), and as of June 28th, 2022, all content included here originally appeared in that repository.