This tweet reveals a bypass technique affecting the Palantir Envoy WAF, which is used to protect HTTP requests by blocking suspicious ones with a 403 status code. The vulnerability allows attackers to bypass the WAF by setting the Content-Type header of the HTTP request to 'application/grpc'. This causes the WAF to let the request through without blocking it. This bypass has been confirmed on 21 enterprise customer deployments, indicating a widespread issue due to fleet-wide misconfiguration. Essentially, by using the 'application/grpc' content type, attackers can map the full API surface despite the WAF's protection, potentially exposing sensitive API endpoints to malicious actors. The vulnerability affects the entire API surface and is a universal type bypass, meaning it can be used for multiple types of attacks that would normally be blocked by the Palantir Envoy WAF. This example highlights the importance of correctly configuring WAFs and thoroughly validating all HTTP headers to prevent bypasses.
For more insights, check out the original tweet here: https://twitter.com/amidamarucyber/status/2029247799930339811