Permissive Web ACL Default Action
- Query id: 6d64f311-3da6-45f3-80f1-14db9771ea40
- Query name: Permissive Web ACL Default Action
- Platform: CloudFormation
- Severity: High
- Category: Insecure Defaults
- URL: Github
Description¶
WebAcl DefaultAction should not be ALLOW
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "WebACL to with three rules"
DefaultAction:
Type: "ALLOW"
MetricName: "MyWebACL"
Rules:
-
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "MyRule"
-
Action:
Type: "BLOCK"
Priority: 2
RuleId:
Ref: "BadReferersRule"
-
Action:
Type: "BLOCK"
Priority: 3
RuleId:
Ref: "SqlInjRule"
Positive test num. 2 - json file
{
"Resources": {
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "WebACL to with three rules",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName": "MyWebACL",
"Rules": [
{
"Action": {
"Type": "BLOCK"
},
"Priority": 1,
"RuleId": {
"Ref": "MyRule"
}
},
{
"RuleId": {
"Ref": "BadReferersRule"
},
"Action": {
"Type": "BLOCK"
},
"Priority": 2
},
{
"RuleId": {
"Ref": "SqlInjRule"
},
"Action": {
"Type": "BLOCK"
},
"Priority": 3
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "WebACL to with one rule"
DefaultAction:
Type: "BLOCK"
MetricName: "MyWebACL"
Rules:
-
Action:
Type: "ALLOW"
Priority: 1
RuleId:
Ref: "MyRule"
Negative test num. 2 - json file
{
"Resources": {
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "WebACL to with one rule",
"DefaultAction": {
"Type": "BLOCK"
},
"MetricName": "MyWebACL",
"Rules": [
{
"Action": {
"Type": "ALLOW"
},
"Priority": 1,
"RuleId": {
"Ref": "MyRule"
}
}
]
}
}
}
}