Permissive Web ACL Default Action

  • Query id: 6d64f311-3da6-45f3-80f1-14db9771ea40
  • Query name: Permissive Web ACL Default Action
  • Platform: CloudFormation
  • Severity: High
  • Category: Insecure Defaults
  • CWE: 284
  • URL: Github

Description

WebAcl DefaultAction should not be ALLOW
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
  MyWebACL:
    Type: "AWS::WAF::WebACL"
    Properties:
      Name: "WebACL to with three rules"
      DefaultAction:
        Type: "ALLOW"
      MetricName: "MyWebACL"
      Rules:
        -
          Action:
            Type: "BLOCK"
          Priority: 1
          RuleId:
            Ref: "MyRule"
        -
          Action:
            Type: "BLOCK"
          Priority: 2
          RuleId:
            Ref: "BadReferersRule"
        -
          Action:
            Type: "BLOCK"
          Priority: 3
          RuleId:
            Ref: "SqlInjRule"
Positive test num. 2 - json file
{
  "Resources": {
    "MyWebACL": {
      "Type": "AWS::WAF::WebACL",
      "Properties": {
        "Name": "WebACL to with three rules",
        "DefaultAction": {
          "Type": "ALLOW"
        },
        "MetricName": "MyWebACL",
        "Rules": [
          {
            "Action": {
              "Type": "BLOCK"
            },
            "Priority": 1,
            "RuleId": {
              "Ref": "MyRule"
            }
          },
          {
            "RuleId": {
              "Ref": "BadReferersRule"
            },
            "Action": {
              "Type": "BLOCK"
            },
            "Priority": 2
          },
          {
            "RuleId": {
              "Ref": "SqlInjRule"
            },
            "Action": {
              "Type": "BLOCK"
            },
            "Priority": 3
          }
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
  MyWebACL:
    Type: "AWS::WAF::WebACL"
    Properties:
      Name: "WebACL to with one rule"
      DefaultAction:
        Type: "BLOCK"
      MetricName: "MyWebACL"
      Rules:
        -
          Action:
            Type: "ALLOW"
          Priority: 1
          RuleId:
            Ref: "MyRule"
Negative test num. 2 - json file
{
  "Resources": {
    "MyWebACL": {
      "Type": "AWS::WAF::WebACL",
      "Properties": {
        "Name": "WebACL to with one rule",
        "DefaultAction": {
          "Type": "BLOCK"
        },
        "MetricName": "MyWebACL",
        "Rules": [
          {
            "Action": {
              "Type": "ALLOW"
            },
            "Priority": 1,
            "RuleId": {
              "Ref": "MyRule"
            }
          }
        ]
      }
    }
  }
}