Cloud Armor's Preconfigured WAF rule

Google Cloud Cloud Foundations & Onboarding
1

I have been utilizing Cloud Armor’s Preconfigured WAF rule to prevent Local
File Inclusion (LFI) attacks [1]. I conducted tests using the following
commands:

curl -Ii http://$PUBLIC_SVC_IP/?a=../

curl -Ii http://$PUBLIC_SVC_IP/ftp/../

curl -Ii http://$PUBLIC_SVC_IP/ftp/%2e%2e/var (After URI decoding,
“%2e%2e%” becomes “..”)

After configuring the security policy [2], only the curl -Ii
http://$PUBLIC_SVC_IP/?a=../ command was blocked.

The curl -Ii http://$PUBLIC_SVC_IP/ftp/../ command passed with an HTTP code
of 200, indicating that it wasn’t blocked.

Similarly, the curl -Ii http://$PUBLIC_SVC_IP/ftp/%2e%2e/var command,
despite resulting in a 302 status, was not blocked either (Screenshots:
output_after_sec_policy_1, output_after_sec_policy_2).

I am interested in understanding how to prevent such behavior. Could you
please provide insights into any mechanisms that may be causing certain
methods not to be blocked by Cloud Armor?

Thank you for your assistance.

1 Like
2

Hi @premnawaz ,

It seems that your question lacks information. It would be helpful and better if you have added the information in [1] and [2] that you have mentioned on the question. There were no details of WAF rule as well as the security policy. The screenshot was also missing from the question.

Let me provide you with a general explanation why certain methods were not blocked. The WAF rules are like a set of patterns that help identify common attacks. If the tests you’re doing use attack patterns not covered by these rules, the security system may not be able to stop those specific attacks.

Some security systems are set to manage encoded or hidden information. In your case, you mentioned decoding URIs (for example, “%2e%2e%” becomes “..”). Just double-check that the rules of the security system are set up to handle this kind of decoding.

I recommend to enable logging for Cloud Armor to review the logs and understand how requests are being processed by the WAF. This can provide insights into why certain requests are not being blocked.

If you are still experiencing this issue, coordinate with Google Cloud Support for further investigation of your project and Cloud Armor config.