Hi, article author here. Cloud Armor will drop requests without regard to the size of the request body for HTTP PUT or PATCH request (i.e., the payload won't have to padded with 8192 bytes, like in the case of POST requests.) Of course, for an attacker to successfully exploit this, the underlying application would have to be configured to accept and process PUT/PATCH requests.
As for query parameters in GET requests, I'm not entirely sure about Cloud Armor's limits there. I'll check and get back to you.
"If the value of the Content-Length header is zero, or if neither the Transfer-Encoding header nor the Content-Length header is specified, then the message has no body. "
> “The United States is good at protecting the government, OK at protecting corporations, but does not protect individuals.”
> [Dave Aitel] points out that many of the targeted security researchers likely had significant access to software vulnerabilities, enterprise networks, and the code of widely used tools. That could result, he says, in “the next SolarWinds.”
