jdl
December 10, 2021, 5:01pm
1
We are working through migration to Cloudflare from Azure Front Door and one of the pain points we had with AFD was how exceptions could be configured against cookies. Specifically, the exception could be written against a cookie name but the exception was for the cookie’s value, not the name of the cookie itself. The link below explains it fairly when but essentially there are nonce cookies that can trigger overly sensitive rules (i.e. contain --) and the algorithms that generate these names are not going to change. It is desirable to not disable the rules globally but I am having trouble finding an example of how to exempt a cookie with a certain prefix (i.e. starts with “OpenIdConnect”) whose full name violates any number of OWASP rules.
Example: OpenIdConnect.Nonce.<String That Violates Rules(s) Here>
Does anyone have an example of what the rule would look like?
opened 10:29AM - 12 Dec 18 UTC
closed 10:15PM - 26 Apr 19 UTC
area-security
The default implementation of Open Id Connect uses a Data Protection Provider th… at generates strings that fall foul of a Web Application Firewall implementing the OWASP rule set's SQL Injection checking. For example, a Nonce cookie is created where the name of the cookie has `Options.StringDataFormat.Protect(nonce)` appended. This means the cookie often has the string "--" somewhere within it. This then gets picked up as a potential SQL Comment Sequence and blocked. I have also seen the SQL Hex Encoding rule triggered.
Other places I have seen the issue:
* Contents of the Authentication Cookie
* Contents of the Anti Forgery Cookie
* Contents of the Anti Forgery request verification token form data
For my WAF I am using the Azure Application Gateway Web Application Firewall. I can configure its Exclusion rules to mitigate against these last three instances of the issue. However, Exclusions are only available in "Preview" of the WAF so should not be used in production. Also, they don't help with the Nonce issue as the exclusion rules only exclude the checking of a cookie's value, not of its name!
My only alternative is to turn off the checks for SQL Injection... however since that is the considered the most common attack vector it seems to go against the point of using a WAF!
### To Reproduce
Steps to reproduce the behavior:
1. Create an ASP.Net Core web application and use an Identity Server for authentication (using the code id_token flow)
2. Host the application behind Azure Application Gateway
3. Turn on WAF in the Application Gateway, enabling the Firewall, setting the Firewall mode to Prevention and use the OWASP 3.0 rule set
4. Repeatedly log in and log out of the application
### Expected behavior
I would expect the log in and log out to always succeed, however perhaps 1 in 5 / 1 in 10 attempts to login will fail with a 403 returned by the Application Gateway.
### Additional context
Using the Preview exclusion feature I have added the following exclusions to the WAF on the Application Gateway:
Field | Operator | Selector
------|----------|---------
Request attribute name | Equals | id_token
Request attribute name | Equals | state
Request cookie name | starts with | .AspNetCore.OpenIdConnect.Nonce.
Request cookie name | starts with | .AspNetCore.Correlation.oidc.
Request cookie name | starts with | .AspNetCore.Cookies
Request cookie name | starts with | ABC.AuthCookie
Request cookie name | starts with | .AspNetCore.Antiforgery.
Request attribute name | starts with | __RequestVerificationToken
But as I said above, Exclusions should not be used in production and they do not fix issues with the names of cookies containing character sequences that trigger SQL Injection rules.
system
December 25, 2021, 5:02pm
2
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.