This bypass technique targets the CloudFront Web Application Firewall (WAF) which protects web applications by filtering and monitoring HTTP requests. CloudFront WAF sets a 403 interception rule to block access to the `/actuator` path, commonly used in Spring Boot applications for management and monitoring endpoints. However, the bypass is possible by URL encoding each character of the `/actuator` string into its hexadecimal form, resulting in the encoded path `/%61%63%74%75%61%74%6f%72`. This encoding tricks the WAF into not recognizing the blocked `/actuator` path, allowing direct access to the Spring Boot actuator endpoints despite the rule. Understanding this bypass involves the knowledge that some WAFs perform path matching before decoding URL-encoded characters. So, by passing the encoded version of a forbidden path, attackers can circumvent URL path blocking rules. This is a universal bypass method relevant to various types of vulnerabilities if their payloads are hidden behind path restrictions, including potential information disclosure or management endpoint exposure. Users and administrators should be aware of this limitation in CloudFront WAF and consider decoding the URL paths before applying access control rules to ensure such bypasses are blocked effectively.
Check out the original tweet here: https://twitter.com/momika233/status/2039255547686629762