Piercing the Cloud Armor – The 8KB Bypass in Google Cloud Platform WAF

[flightofthefox]

Solution seems funky. Attackers could just omit the Content-Length header

[parts]

If you omit the Content-Length header from an HTTP request, the server will not process the request body.

See: https://reqbin.com/Article/ContentLength

"If the value of the Content-Length header is zero, or if neither the Transfer-Encoding header nor the Content-Length header is specified, then the message has no body. "

[ypeter]

Maybe Cloud Armor calculates en sets it?