Link is throwing 403 – Forbidden

Sohaib Asghar 1 Reputation point
2022-03-27T23:31:04.487+00:00

Following link is throwing 403 – Forbidden

Web application hosted in Azure App service protected by Application Gateway throwing following error (403 – Forbidden) when we enter the following URL in the browser.https://app.mysha.pe/login?state=d:\boot.ini

noticed this 403 redirection is happening at Application Gateway level

we are unable to fix this issue because of it is App Gateway default behavior.

As per PEN testing,  “The website exhibits behavior which hints that there may be an LFI/RFI vulnerability in the code”

187284-microsoftteams-image.png

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,217 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,970 questions
{count} votes

2 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2022-05-02T15:09:20.887+00:00

    Hello @Sohaib Asghar ,

    Apologies for the delay in my response.

    I understand that you have a Web application hosted in Azure App service protected by Application Gateway and it is throwing 403 error when you enter the following URL - https://app.mysha.pe/login?state=d:boot.ini in the browser.

    Post discussion on this issue, we found that the configuration of Application gateway v1 is correct and the WAF is preventing the application page access and throwing 403 error as you have WAF enabled in "Prevention" mode. You found that the URL is hitting a mandatory rule in WAF, which cannot be disabled and would need the way forward to fix this issue.

    If you believe that the blocked URL is safe and would like to let it pass through the WAF, you could use an Exclusion list.
    Refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#using-an-exclusion-list
    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration

    Example 2 from the below doc matches your scenario:
    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration#example-2
    So, you could setup an exclusion list as shown in the above example replacing your own values and it won't evaluate the string d:boot.ini, but it will still evaluate the parameter name state.

    To add an exclusion, you need to create a WAF policy and associate it with your Application gateway.
    Refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview

    You can also set the exclusion via Azure portal in your WAF policy as below:

    198301-image.png

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

  2. Anji Keesari 1 Reputation point
    2022-06-26T18:15:11.333+00:00

    Hello GitaraniSharmaMSFT-4262,

    Thanks for the details, we believe that the blocked URL is not safe therefore we can't put it in exclude list. but our PEN testing team reported showing 403 here is as security vaulnarabiity, can you please confirm from Microsoft that throwing 403 in this case is the correct way and it is not any security risk so that we can pass your information to our PEN testing team.

    Thanks
    Anji


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.