[trulyme]

Why only POST? Query params can be "hidden" in a similar way too, is there a reason GET requests are not vulnerable? Url length limit maybe?

[parts]

Hi, article author here. Cloud Armor will drop requests without regard to the size of the request body for HTTP PUT or PATCH request (i.e., the payload won't have to padded with 8192 bytes, like in the case of POST requests.) Of course, for an attacker to successfully exploit this, the underlying application would have to be configured to accept and process PUT/PATCH requests.

As for query parameters in GET requests, I'm not entirely sure about Cloud Armor's limits there. I'll check and get back to you.

[wafwafwaf]

https://docs.aws.amazon.com/waf/latest/developerguide/limits...

Pad your POST query by 8k and you are through!

[trulyme]

Thank you for the clarification!

[JoBrad]

GET doesn’t typically have a body, and many services ignore it even if you include one. An API I once worked on simply truncated the body of all GET requests at the front door, because we knew we’d never use it. Less to worry about.

[trulyme]

Sorry if I wasn't clear enough, I was talking about query params in the URL, not request body.

[beny23]

Typically query string sizes are limited to 2K

[trulyme]

This limit is often on client side though, so it pays to chech how this particular API does it.

[ypeter]

I guess this limitation is on the size of the request body and including that doesn’t make sense for GET requests?