Greetings. Please help in creating an exception to the rule: OWASP_3.2 - Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link. My web application generates requests like: /_next/image?url=https%3A%2F%2Fdcxpblob.blob.core.windows.net%2Fpublic%2F9ea94f5e-14c0-c578-a38a-6cb05d07e1e0%2Flogo.png&w=32&q=75 The firewall perceives this as an attack. I made the following exceptions: But still, in Kibana, I see alerts like this: Does this mean that the exception does not work, because the firewall generates logs warning about the event, and the goal is to make it ignore calls to Blob storages? Thank you.

@Yurii Tsarienko , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. Can you share the exact error message which you see in the ApplicationGatewayFirewallLog ? The detailed analysis of what blocked the request would be available in the "message" and "details" fields. Without the above, how are you confirming that the block is because of "blob.core"? Cheers, Kapil

How to add correct exclusion on Azure WAF?

Accepted answer

KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2024-05-13T13:30:48.8133333+00:00
@Yurii Tsarienko ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Can you share the exact error message which you see in the ApplicationGatewayFirewallLog?

The detailed analysis of what blocked the request would be available in the "message" and "details" fields.

Without the above, how are you confirming that the block is because of "blob.core"?

Cheers,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.
Yurii Tsarienko 20 Reputation points

2024-05-13T14:06:31.8333333+00:00

The thing is, the rule works when the application receives a request of this type:

https://my.app.com**/_next/image?url=https%3A%2F%2Fdcxpblob.blob.core.windows.net%2Fpublic%2F9ea94f5e-14c0-c578-a38a-6cb05d07e1e0%2Flogo.png&w=32&q=75**

Well, it is obvious that for the rule Possible Remote File Inclusion (RFI) Attack part of the request:

url=https%3A%2F%2Fdcxpblob.blob.core.windows.net%2Fpublic%2F9ea94f5e-14c0-c578-a38a-6cb05d07e1e0%2Flogo.png&w=32&q=75

It is a trigger.

But this way:

dcxpblob.blob.core.windows.net

It is legitimate, there are pictures and avatars of users in the storage.

How to completely ignore this blob in the set of rules?

As I showed in the picture above, the exceptions I made did not work.

Alerts will come to Kibana. We need to get rid of them.

KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2024-05-13T14:58:03.51+00:00

NOTE :

In the context of App gateway WAF, RequestArgNames = RequestArgValues

i.e., Request attributes by names work the same way as request attributes by values

You must always use the "key" of the query parameters while defining exclusions.

So, your rules can be either 1 or 2

#1

Attribute to Exclude : Query string

matchVariable : RequestArgNames

selectorMatchOperator : Equals

Example selector : url

This will make sure WAF will never validate any value that is present in the key "uri"

#2

Attribute to Exclude : Query string

matchVariable : RequestArgNames

selectorMatchOperator : EqualsAny

Here, WAF will not validate any of the values of the query parameters.

In your case, this covers the values of "url", "w" and "q"

A complete and detailed reference can be found here : Identify request attributes to exclude.

Cheers,

Kapil

KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2024-05-13T15:00:03.0866667+00:00

@Yurii Tsarienko ,

To provide more context,

In the URI "http://localhost:8080/?/etc=test"

key = /etc

value/name = test

Any rule you might define must make use of "/etc" and not "test"

This applies even if you wish to exclude the value and not the key. The key acts as an identifier and you should use "RequestArgNames" or "RequestArgValues" if you want the WAF to exclude the value of a particular key from validation.

In case the above does not help, I would request you to share the WAF logs directly from the log analytics workspace so as we can be certain the issue indeed arises from the value of "uri" and not something else.

Cheers,

Kapil

Yurii Tsarienko 20 Reputation points

2024-05-14T11:10:13.35+00:00

Dear @KapilAnanth-MSFT thank you very much for the information, at the moment the following exception worked:

This exception allows me to ignore URLs, but could potentially be unsafe since all URLs are ignored.

The task is to ignore only:

url=https://dcxpblob.blob.core.windows.net

I would be very grateful if you could help me with this.

KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2024-05-14T12:25:28.88+00:00

@Yurii Tsarienko ,

You are welcome. Glad we could be of assistance.

Wrt your ask, this is not a feature of WAF Exclusion.

WAF Exclusion either allows you to exclude all the "values/names" in the "key"

Or the "key" itself. (naming convention of the key)

Instead, you may try using Custom rules.

You should use "RequestUri" as "Match variable"

And "Action" as "Allow"

Custom Rules have a high priority and bypass all the WAF default rules.

It should be something like this,

Hope this helps.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Nayot Tientong 0 Reputation points

2024-08-23T03:14:04.51+00:00

@KapilAnanth-MSFT
In case we use the custom rule with match value url=https://dcxpblob.blob.core.windows.net , if traffic is matched with this rule , WAF will allow traffic and then not check other default rule in CRS , am I correct ?

Does it also risk to use custom rule in this case ?

KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee

2024-08-26T03:33:39.46+00:00

Yes Nayot Tientong,

That is correct.

You must tune your WAF according to your requirement and make sure you don't create any custom rules or exclusions that are "generic"
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to add correct exclusion on Azure WAF?

0 additional answers

Your answer