diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md index 6cb5f50031..11872d8367 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md @@ -18,30 +18,79 @@ Other ways to support HackTricks: AWS WAF is a **web application firewall** designed to **safeguard web applications or APIs** against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up **security rules** that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules. -## Monitoring Criteria (Conditions) +## Key concepts -Conditions specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that requests restricted at the CloudFront level based on country won't reach WAF. +### Web ACL (Access Control List) + +A Web ACL is a collection of rules that you can apply to your web applications or APIs. When you associate a Web ACL with a resource, AWS WAF inspects incoming requests based on the rules defined in the Web ACL and takes the specified actions. + +### Rule Group + +A Rule Group is a reusable collection of rules that you can apply to multiple Web ACLs. Rule groups help manage and maintain consistent rule sets across different web applications or APIs. + +Each rule group has its associated **capacity**, which helps to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. Once its value is set during creation, it is not possible to modify it. + +### Rule + +A rule defines a set of conditions that AWS WAF uses to inspect incoming web requests. There are two main types of rules: + +1. **Regular Rule**: This rule type uses specified conditions to determine whether to allow, block, or count web requests. +2. **Rate-Based Rule**: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is **2000 requests**. + +### Managed Rules + +AWS WAF offers pre-configured, managed rule sets that are maintained by AWS and AWS Marketplace sellers. These rule sets provide protection against common threats and are regularly updated to address new vulnerabilities. + +### IP Set + +An IP Set is a list of IP addresses or IP address ranges that you want to allow or block. IP sets simplify the process of managing IP-based rules. + +### Regex Pattern Set + +A Regex Pattern Set contains one or more regular expressions (regex) that define patterns to search for in web requests. This is useful for more complex matching scenarios, such as filtering specific sequences of characters. + +### Lock Token + +A Lock Token is used for concurrency control when making updates to WAF resources. It ensures that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. + +### API Keys + +API Keys in AWS WAF are used to authenticate requests to certain API operations. These keys are encrypted and managed securely to control access and ensure that only authorized users can make changes to WAF configurations. + +- **Example**: Integration of the CAPTCHA API. + +### Permission Policy + +A Permission Policy is an IAM policy that specifies who can perform actions on AWS WAF resources. By defining permissions, you can control access to WAF resources and ensure that only authorized users can create, update, or delete configurations. + +### Scope + +The scope parameter in AWS WAF specifies whether the WAF rules and configurations apply to a regional application or an Amazon CloudFront distribution. + +- **REGIONAL**: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located. +- **CLOUDFRONT**: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the `us-east-1` region regardless of where the content is served. + +## Key features + +### Monitoring Criteria (Conditions) + +**Conditions** specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that **requests restricted at the CloudFront level based on country won't reach WAF**. Each AWS account can configure: + - **100 conditions** for each type (except for Regex, where only **10 conditions** are allowed, but this limit can be increased). - **100 rules** and **50 Web ACLs**. - A maximum of **5 rate-based rules**. - A throughput of **10,000 requests per second** when WAF is implemented with an application load balancer. -## Rule Configuration - -Rules are crafted using the specified conditions. For instance, a rule might block a request if it meets 2 specific conditions. There are two types of rules: +### Rule actions -1. **Regular Rule**: Standard rule based on specified conditions. -2. **Rate-Based Rule**: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is **2000 requests**. - -## Actions - -Actions are assigned to each rule, with options being **Allow**, **Block**, or **Count**: +Actions are assigned to each rule, with options being: - **Allow**: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer. - **Block**: The request is terminated immediately. - **Count**: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block. +- **CAPTCHA and Challenge:** It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges. If a request doesn't match any rule within the Web ACL, it undergoes the **default action** (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence: @@ -49,35 +98,103 @@ If a request doesn't match any rule within the Web ACL, it undergoes the **defau 2. Block Blacklisted IPs. 3. Block requests matching any detrimental signatures. -## CloudWatch Integration +### CloudWatch Integration AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks. - ## Enumeration -scope can also be CLOUDFRONT, but when checking for a WAF not related to CLoudfront you need to use REGIONAL. +In order to interact with CloudFront distributions, you must specify the Region US East (N. Virginia): -``` -# Get web acls -aws wafv2 list-web-acls --scope REGIONAL -aws wafv2 get-web-acl --scope REGIONAL --name --id -aws wafv2 list-resources-for-web-acl --web-acl-arn #Resources associated with the ACL -aws wafv2 get-web-acl-for-resource --resource-arn # Get web acl of the resource +- CLI - Specify the Region US East when you use the CloudFront scope: `--scope CLOUDFRONT --region=us-east-1` . +- API and SDKs - For all calls, use the Region endpoint us-east-1. + +In order to interact with regional services, you should specify the region: + +- Example with the region Europe (Spain): `--scope REGIONAL --region=eu-south-2` + +```bash +# Web ACLs # + +## Retrieve a list of web access control lists (Web ACLs) available in your AWS account +aws wafv2 list-web-acls --scope | CLOUDFRONT --region=us-east-1> +## Retrieve details about the specified Web ACL +aws wafv2 get-web-acl --name --id --scope | CLOUDFRONT --region=us-east-1> + +## Retrieve a list of resources associated with a specific web access control list (Web ACL) +aws wafv2 list-resources-for-web-acl --web-acl-arn # Additional permissions needed depending on the protected resource type: cognito-idp:ListResourcesForWebACL, ec2:DescribeVerifiedAccessInstanceWebAclAssociations or apprunner:ListAssociatedServicesForWebAcl +## Retrieve the Web ACL associated with the specified AWS resource +aws wafv2 get-web-acl-for-resource --resource-arn # Additional permissions needed depending on the protected resource type: cognito-idp:GetWebACLForResource, ec2:GetVerifiedAccessInstanceWebAcl, wafv2:GetWebACL or apprunner:DescribeWebAclForService + +# Rule groups # + +## List of the rule groups available in your AWS account +aws wafv2 list-rule-groups --scope | CLOUDFRONT --region=us-east-1> +## Retrieve the details of a specific rule group +aws wafv2 get-rule-group [--name ] [--id ] [--arn ] [--scope | CLOUDFRONT --region=us-east-1>] +## Retrieve the IAM policy attached to the specified rule group +aws wafv2 get-permission-policy --resource-arn # Just the owner of the Rule Group can do this operation + +# Managed rule groups (by AWS or by a third-party) # + +## List the managed rule groups that are available +aws wafv2 list-available-managed-rule-groups --scope | CLOUDFRONT --region=us-east-1> +## List the available versions of the specified managed rule group +aws wafv2 list-available-managed-rule-group-versions --vendor-name --name --scope | CLOUDFRONT --region=us-east-1> +## Retrieve high-level information about a specific managed rule group +aws wafv2 describe-managed-rule-group --vendor-name --name --scope | CLOUDFRONT --region=us-east-1> [--version-name ] +## Retrieve high-level information about all managed rule groups +aws wafv2 describe-all-managed-products --scope | CLOUDFRONT --region=us-east-1> +## Retrieve high-level information about all managed rule groups from a specific vendor +aws wafv2 describe-managed-products-by-vendor --vendor-name --scope | CLOUDFRONT --region=us-east-1> + +# IP sets # + +## List the IP sets that are available in your AWS account +aws wafv2 list-ip-sets --scope | CLOUDFRONT --region=us-east-1> +## Retrieve the specific IP set +aws wafv2 get-ip-set --name --id --scope | CLOUDFRONT --region=us-east-1> +## Retrieve the keys that are currently being managed by a rate-based rule. +aws wafv2 get-rate-based-statement-managed-keys --scope | CLOUDFRONT --region=us-east-1>\ + --web-acl-name --web-acl-id --rule-name [--rule-group-rule-name ] + +# Regex pattern sets # -# Rule groups -aws wafv2 list-rule-groups --scope REGIONAL -aws wafv2 get-rule-group --scope REGIONAL --name --id +## List all the regex pattern sets that you manage +aws wafv2 list-regex-pattern-sets --scope | CLOUDFRONT --region=us-east-1> +## Retrieves the specified regex pattern sets +aws wafv2 get-regex-pattern-set --name --id --scope | CLOUDFRONT --region=us-east-1> -# Get IP sets -aws wafv2 list-ip-sets --scope=REGIONAL -aws wafv2 get-ip-set --scope=REGIONAL --name --id +# API Keys # -# Get regex patterns -aws wafv2 list-regex-pattern-sets --scope REGIONAL +## List API keys for the specified scope +aws wafv2 list-api-keys --scope | CLOUDFRONT --region=us-east-1> +## Retrieve decrypted API key +aws wafv2 get-decrypted-api-key --scope | CLOUDFRONT --region=us-east-1> --api-key + +# Logs # + +## List of logging configurations (storage location of the logs) +aws wafv2 list-logging-configurations --scope | CLOUDFRONT --region=us-east-1> [--log-scope ] +## Retrieve the logging configuration settings associated with a specific web ACL +aws wafv2 get-logging-configuration --resource-arn [--log-scope ] [--log-type ] + +# Miscelaneous # + +## Retrieve a list of the tags associated to the specified resource +aws wafv2 list-tags-for-resource resource-arn + +## Retrieve a sample of web requests that match a specified rule within a WebACL during a specified time range +aws wafv2 get-sampled-requests --web-acl-arn --rule-metric-name --time-window --max-items <1-500> --scope + +## Obtains the web ACL capacity unit (WCU) requirements for a specified scope and ruleset +aws wafv2 check-capacity --scope | CLOUDFRONT --region=us-east-1> --rules + +## List of available releases for the AWS WAFv2 mobile SDK +aws wafv2 list-mobile-sdk-releases --platform +## Retrieves information for the specified mobile SDK release +aws wafv2 get-mobile-sdk-release --platform --release-version -# Get logging config (buckets storing the logs) -aws wafv2 list-logging-configurations --scope=REGIONAL ``` ## Post Exploitation / Bypass @@ -88,10 +205,285 @@ From an attackers perspective, this service can help the attacker to identify WA However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF. {% endhint %} -TODO: PRs are welcome +In many of the Delete and Update operations it would be necessary to provide the **lock token**. This token is used for concurrency control over the resources, ensuring that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. In order to obtain this token you could perform the correspondent **list** or **get** operations over the specific resource. + +### **`wafv2:CreateRuleGroup`, `wafv2:UpdateRuleGroup`, `wafv2:DeleteRuleGroup`** + +An attacker would be able to compromise the security of the affected resource by: + +- Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service. +- Updating rule groups, being able to modify its actions for example from **Block** to **Allow**. +- Deleting rule groups that provide critical security measures. + +```bash +# Create Rule Group +aws wafv2 create-rule-group --name --capacity --visibility-config \ +--scope | CLOUDFRONT --region=us-east-1> [--rules ] [--description ] +# Update Rule Group +aws wafv2 update-rule-group --name --id --visibility-config --lock-token \ + --scope | CLOUDFRONT --region=us-east-1> [--rules ] [--description ] +# Delete Rule Group +aws wafv2 delete-rule-group --name --id --lock-token --scope | CLOUDFRONT --region=us-east-1> +``` + +The following examples shows a rule group that would block legitimate traffic from specific IP addresses: + +```bash +aws wafv2 create-rule-group --name BlockLegitimateIPsRuleGroup --capacity 1 --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=BlockLegitimateIPsRuleGroup --scope CLOUDFRONT --region us-east-1 --rules file://rule.json +``` + +The **rule.json** file would look like: + +```json +[ + { + "Name":"BlockLegitimateIPsRule", + "Priority":0, + "Statement": { + "IPSetReferenceStatement": { + "ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" + } + }, + "Action":{ + "Block":{} + }, + "VisibilityConfig":{ + "SampledRequestsEnabled":false, + "CloudWatchMetricsEnabled":false, + "MetricName":"BlockLegitimateIPsRule" + } + } +] +``` + +**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks. + +### **`wafv2:CreateWebACL`, `wafv2:UpdateWebACL`, `wafv2:DeleteWebACL`** + +With these permissions, an attacker would be able to: + +- Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service. +- Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests. +- Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks. + +{% hint style="info" %} + +You can only delete the specified **WebACL** if **ManagedByFirewallManager** is false. + +{% endhint %} + +```bash +# Create Web ACL +aws wafv2 create-web-acl --name --default-action --visibility-config \ +--scope | CLOUDFRONT --region=us-east-1> [--rules ] [--captcha-config ] [--description ] +# Update Web ACL +aws wafv2 update-web-acl --name --id --default-action --visibility-config --lock-token \ +--scope | CLOUDFRONT --region=us-east-1> [--rules ] [--captcha-config ] [--description ] +# Delete Web ACL +aws wafv2 delete-web-acl --name --id --lock-token --scope | CLOUDFRONT --region=us-east-1> +``` + +The following examples shows how to update a Web ACL to block the legitimate traffic from a specific IP set. If the origin IP does not match any of those IPs, the default action would also be blocking it, causing a DoS. + +**Original Web ACL**: + +```json +{ + "WebACL": { + "Name": "AllowLegitimateIPsWebACL", + "Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f", + "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f", + "DefaultAction": { + "Allow": {} + }, + "Description": "", + "Rules": [ + { + "Name": "AllowLegitimateIPsRule", + "Priority": 0, + "Statement": { + "IPSetReferenceStatement": { + "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" + } + }, + "Action": { + "Allow": {} + }, + "VisibilityConfig": { + "SampledRequestsEnabled": false, + "CloudWatchMetricsEnabled": false, + "MetricName": "AllowLegitimateIPsRule" + } + } + ], + "VisibilityConfig": { + "SampledRequestsEnabled": false, + "CloudWatchMetricsEnabled": false, + "MetricName": "AllowLegitimateIPsWebACL" + }, + "Capacity": 1, + "ManagedByFirewallManager": false, + "LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:" + }, + "LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" +} + +``` + +Command to update the Web ACL: + +```json +aws wafv2 update-web-acl --name AllowLegitimateIPsWebACL --scope REGIONAL --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --default-action Block={} --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=AllowLegitimateIPsWebACL --rules file://rule.json --region us-east-1 +``` + +The **rule.json** file would look like: + +```json +[ + { + "Name": "BlockLegitimateIPsRule", + "Priority": 0, + "Statement": { + "IPSetReferenceStatement": { + "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" + } + }, + "Action": { + "Block": {} + }, + "VisibilityConfig": { + "SampledRequestsEnabled": false, + "CloudWatchMetricsEnabled": false, + "MetricName": "BlockLegitimateIPRule" + } + } +] +``` + +**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks. + +### **`wafv2:AssociateWebACL`, `wafv2:DisassociateWebACL`** + +The **`wafv2:AssociateWebACL`** permission would allow an attacker to associate web ACLs (Access Control Lists) with resources, being able to bypass security controls, allowing unauthorized traffic to reach the application, potentially leading to exploits like SQL injection or cross-site scripting (XSS). Conversely, with the **`wafv2:DisassociateWebACL`** permission, the attacker could temporarily disable security protections, exposing the resources to vulnerabilities without detection. + +The additional permissions would be needed depending on the protected resource type: + +- **Associate** + - apigateway:SetWebACL + - apprunner:AssociateWebAcl + - appsync:SetWebACL + - cognito-idp:AssociateWebACL + - ec2:AssociateVerifiedAccessInstanceWebAcl + - elasticloadbalancing:SetWebAcl +- **Disassociate** + - apigateway:SetWebACL + - apprunner:DisassociateWebAcl + - appsync:SetWebACL + - cognito-idp:DisassociateWebACL + - ec2:DisassociateVerifiedAccessInstanceWebAcl + - elasticloadbalancing:SetWebAcl + +```bash +# Associate +aws wafv2 associate-web-acl --web-acl-arn --resource-arn +# Disassociate +aws wafv2 disassociate-web-acl --resource-arn +``` + +**Potential Impact**: Compromised resources security, increased risk of exploitation, and potential service disruptions within AWS environments protected by AWS WAF. + +### **`wafv2:CreateIPSet` , `wafv2:UpdateIPSet`, `wafv2:DeleteIPSet`** + +An attacker would be able to create, update and delete the IP sets managed by AWS WAF. This could be dangerous since could create new IP sets to allow malicious traffic, modify IP sets in order to block legitimate traffic, update existing IP sets to include malicious IP addresses, remove trusted IP addresses or delete critical IP sets that are meant to protect critical resources. + +```bash +# Create IP set +aws wafv2 create-ip-set --name --ip-address-version --addresses --scope | CLOUDFRONT --region=us-east-1> +# Update IP set +aws wafv2 update-ip-set --name --id --addresses --lock-token --scope | CLOUDFRONT --region=us-east-1> +# Delete IP set +aws wafv2 delete-ip-set --name --id --lock-token --scope | CLOUDFRONT --region=us-east-1> +``` + +The following example shows how to **overwrite the existing IP set by the desired IP set**: + +```bash +aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1 +``` + +**Potential Impact**: Unauthorized access and block of legitimate traffic. + +### **`wafv2:CreateRegexPatternSet`** , **`wafv2:UpdateRegexPatternSet`**, **`wafv2:DeleteRegexPatternSet`** + +An attacker with these permissions would be able to manipulate the regular expression pattern sets used by AWS WAF to control and filter incoming traffic based on specific patterns. + +- Creating new regex patterns would help an attacker to allow harmful content +- Updating the existing patterns, an attacker would to bypass security rules +- Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures. + +```bash +# Create regex pattern set +aws wafv2 create-regex-pattern-set --name --regular-expression-list --scope | CLOUDFRONT --region=us-east-1> [--description ] +# Update regex pattern set +aws wafv2 update-regex-pattern-set --name --id --regular-expression-list --lock-token --scope | CLOUDFRONT --region=us-east-1> +# Delete regex pattern set +aws wafv2 delete-regex-pattern-set --name --scope | CLOUDFRONT --region=us-east-1> --id --lock-token +``` + +**Potential Impact**: Bypass security controls, allowing malicious content and potentially exposing sensitive data or disrupting services and resources protected by AWS WAF. + +### **(`wavf2:PutLoggingConfiguration` &** `iam:CreateServiceLinkedRole`), **`wafv2:DeleteLoggingConfiguration`** + +An attacker with the **`wafv2:DeleteLoggingConfiguration`** would be able to remove the logging configuration from the specified Web ACL. Subsequently, with the **`wavf2:PutLoggingConfiguration`** and **`iam:CreateServiceLinkedRole`** permissions, an attacker could create or replace logging configurations (after having deleted it) to either prevent logging altogether or redirect logs to unauthorized destinations, such as Amazon S3 buckets, Amazon CloudWatch Logs log group or an Amazon Kinesis Data Firehose under control. + +During the creation process, the service automatically sets up the necessary permissions to allow logs to be written to the specified logging destination: + +- **Amazon CloudWatch Logs:** AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group. +- **Amazon S3 Bucket:** AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket. +- **Amazon Kinesis Data Firehose:** AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream. + +{% hint style="info" %} + +It is possible to define only one logging destination per web ACL. + +{% endhint %} + +```bash +# Put logging configuration +aws wafv2 put-logging-configuration --logging-configuration +# Delete logging configuration +aws wafv2 delete-logging-configuration --resource-arn [--log-scope ] [--log-type ] +``` + +**Potential Impact:** Obscure visibility into security events, difficult the incident response process, and facilitate covert malicious activities within AWS WAF-protected environments. + +### **`wafv2:DeleteAPIKey`** + +An attacker with this permissions would be able to delete existing API keys, rendering the CAPTCHA ineffective and disrupting the functionality that relies on it, such as form submissions and access controls. Depending on the implementation of this CAPTCHA, this could lead either to a CAPTCHA bypass or to a DoS if the error management is not properly set in the resource. + +```bash +# Delete API key +aws wafv2 delete-api-key --api-key --scope | CLOUDFRONT --region=us-east-1> +``` + +**Potential Impact**: Disable CAPTCHA protections or disrupt application functionality, leading to security breaches and potential data theft. + +### **`wafv2:TagResource`, `wafv2:UntagResource`** + +An attacker would be able to add, modify, or remove tags from AWS WAFv2 resources, such as Web ACLs, rule groups, IP sets, regex pattern sets, and logging configurations. + +```bash +# Tag +aws wafv2 tag-resource --resource-arn --tags +# Untag +aws wafv2 untag-resource --resource-arn --tag-keys +``` + +**Potential Impact**: Resource tampering, information leakage, cost manipulation and operational disruption. # References -* https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application. +* [https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application](https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application) +* [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html)