How to handle file upload in SOAP service with WAF in Application Gateway

Question

How to handle file upload in SOAP service with WAF in Application Gateway

JorneS 201

Hi there!

My team is managing a SOAP service. This service expects a file to be uploaded as inline data. My organization has set the focus to improving security, so I now have to set a Application Gateway with a WAF in front of my SOAP service.

The thing is that the WAF has a request body limit of 128KB. The files that are being uploaded are larger dan 2 MB.

It is possible to change the service to supports SOAP MTOM, which is what I think the current idea to support file uploads. But this request doesn't go trough the WAF because the Content-Type is set to multipart/related and the WAF expects multipart/form-data.

This is an example request I made with SOAPUI to a test service, this requests is blocked by the WAF because it is too large:

POST http://localhost:62031/Service.svc/ServiceBasic HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: multipart/related; type="application/xop+xml"; start="<******@soapui.org>"; start-info="text/xml"; boundary="----=_Part_2_337329933.1674474754531"
SOAPAction: "http://tempuri.org/IService/ComplexData"
MIME-Version: 1.0
Content-Length: 1015
Host: localhost:62031
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.5 (Java/16.0.1)


------=_Part_2_337329933.1674474754531
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <******@soapui.org>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
   <soapenv:Header/>
   <soapenv:Body>
      <tem:ComplexData>
         <!--Optional:-->
         <tem:copmlexType>
            <!--Optional:-->
            <tem:Name>?</tem:Name>
            <!--Optional:-->
            <tem:Contents><inc:Include href="cid:SampleJPGImage_5mbmb.jpg" xmlns:inc="http://www.w3.org/2004/08/xop/include"/></tem:Contents>
         </tem:copmlexType>
      </tem:ComplexData>
   </soapenv:Body>
</soapenv:Envelope>
------=_Part_2_337329933.1674474754531
Content-Type: application/octet-stream; name=SampleJPGImage_5mbmb.jp
Content-Transfer-Encoding: binary
Content-ID: <SampleJPGImage_5mbmb.jp>
Content-Disposition: attachment; name="SampleJPGImage_5mbmb.jp"; filename="SampleJPGImage_5mbmb.jp"

Of course, my team can change the service to a REST service with file upload, but it costs my team quite some time to change everything. Also, a consuming party of the service is already loaded with too much work, so they cannot handle a change like this.

What is the idea of Microsoft to handle this situation? Thus that the WAF blocks (normal) SOAP requests with MTOM file upload.

Thanks.

Accepted answer

0 additional answers

Your answer

Answer 1

Hello @JorneS ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have set an Azure Application Gateway with WAF in front of your SOAP service and the files that are being uploaded are larger than 2 MB, but your WAF has a request body limit of 128 KB, and the requests are blocked by the WAF because it is too large, and you would like to know how to handle this issue.

You can use the new WAF engine, which is a high-performance, scalable Microsoft proprietary engine and has significant improvements over the previous WAF engine. The new engine, released with CRS 3.2, provides the following benefits:

Increased request body size limit to 2 MB
Increased file upload limit to 4 GB

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/waf-engine

https://learn.microsoft.com/en-us/answers/questions/769922/how-do-i-increase-the-request-body-size-of-applica

The allowed Content-type by CRS 3.2 WAF engine are:

setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"

Refer: https://github.com/coreruleset/coreruleset/blob/v3.2.0/rules/REQUEST-901-INITIALIZATION.conf#L165

But as you mentioned, only requests with Content-Type of multipart/form-data are considered for file uploads. For content to be considered as a file upload, it has to be a part of a multipart form with a filename header. For all other content types, the request body size limit applies. So, if your Content-Type is set to anything else apart from multipart/form-data, then the request size limit will be applied which is 2 MB for CRS 3.2 WAF engine.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#limits

So, you can use the new CRS 3.2 WAF engine for uploading files (which are NOT of Content-Type multipart/form-data) of limit upto 2MB.

Adding MTOM support to the Microsoft WAF is currently under review by Microsoft engineering team for future improvements. You can upvote the feedback in the below forum:

https://feedback.azure.com/d365community/idea/0bc973d9-8326-ec11-b6e6-000d3a4f0789

The WAF Product Group team is also considering if it is possible to increase the file inspection limit further but there is nothing available as of today except the above-mentioned details.

I will discuss this issue with the Azure WAF Product Group team to check if there are any other workarounds and will update them here.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

JorneS 201 Reputation points

2023-02-07T12:36:55.2966667+00:00

Hi @GitaraniSharma-MSFT ,

Thank you for your answer and information!

Unfortunately, the files that are being uploaded are lager dan 2MB, so switching to the new WAF engine won't solve my problem.

The idea on the feedback site is already 5 years old, so I assume that this is not something that has high priority.

Thank you that you will discuss the issue with the Azure WAF Product Group team, I am interested in the possible workarounds they have. In worst case scenario the only option that I see is to disable the WAF completely, but this is an approach that I don't want to take (and probably not allowed to take).

Looking forward to the feedback of the product group team.
JorneS 201 Reputation points

2023-02-07T12:52:46.82+00:00

Accidently posted, nvm.
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-02-07T12:53:56.4766667+00:00

@JorneS , thank you for understanding and cooperation. I'll get back to you as soon as I hear from the WAF PG on this.
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-02-09T13:54:07.3033333+00:00

@JorneS , apologies for the delay in response.

Below is the update from the Azure WAF Product Group team:

Today we don’t have SOAP support for file uploads greater than 2MB and do not support multipart/related for file uploads. We will consider adding MTOM and multipart/related options in the future.

To temporarily unblock this issue, please create a separate WAF policy for this specific URL and set it to detection mode.

Although, moving to REST would be the most effective way.
Please note this is not a final solution and we will consider adding MTOM and/or multipart/related option in the future.

Hope this helps!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
JorneS 201 Reputation points

2023-02-10T06:41:10.1+00:00

Hi @GitaraniSharma-MSFT , thank you for reaching out to the Azure WAF Product Group team. You provided me the information I needed!

Share via

How to handle file upload in SOAP service with WAF in Application Gateway

0 additional answers

Your answer