question

som avatar image
0 Votes"
som asked RichardBrown-6534 commented

WAF exclusion Rule for cookie name

I am using WAF and creating exclusion Rule. I wanted the exclude the aspnet openid connect cookie as cookie name itself is violating's the WAF rule. based on the documentation I think WAF exclusion work son value not on the name . please suggest Warning. Pattern match \"(/\*!?|\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]?-)|([^\-&])#.?[\\s\\r\\n\\v\\f]|;?\\x00)\" at REQUEST_COOKIES_NAMES

.AspNetCore.OpenIdConnect.Nonce.CfDJ8By4xDotf-JCnJS9BHH__BdvvJNm8WXFRbFcr_D65PUBazmnXcJkPvNQCra4aguO1TCLHdCmZ0liD9mgNBbAg--tqwE2hMio7BLj2Mu3J7UQKMBg2_vbaNJzGTAciiAOQaCQZc4dCDCN5nCf3bP3YU2Zis9Njk-BcF95mxaubrKWl3-EdW9BmdY9Avxc2PMIhr ....

https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration#waf-exclusion-lists
I am writing the exclusion rule like this.

98595-image.png


azure-application-gatewaydotnet-aspnet-core-security
image.png (3.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

som avatar image
0 Votes"
som answered RyanAdler-8489 commented

I have solved by using custom action.
// added Custome Rules
custom_rules { name = "allowaspNetCoreCookie"
priority = 25
rule_type = "MatchRule"
match_conditions
{ match_variables
{ variable_name = "RequestHeaders"
selector = "Cookie"}
operator = "StartsWith"
negation_condition = false
match_values = [".AspNetCore.OpenIdConnect."]
}
action = "Allow"
}

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

While this seems like the right answer, I think there is an issue here. If I understand correctly, any request that matches the custom rule will not be passed through the normal rules. This means all an attacker has to do is add or have the .AspNetCore.OpenIdConnect. cookie, and all other rules will not be applied.

1 Vote 1 ·
GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered RichardBrown-6534 commented

Hello @som ,

As mentioned in this article, the values of the chosen field aren't evaluated against WAF rules, but their names still are, which means the exclusion rules only exclude the checking of a cookie's value, not of its name.

I found similar issue reported here : https://github.com/dotnet/aspnetcore/issues/4589
You could try adding the list of exclusion rules provided in the additional context on this issue.
There is a user voice feedback raised in the following forum for this which you could upvote in case you are facing similar issue: https://feedback.azure.com/forums/217313-networking/suggestions/36260122-web-application-firewall-cookie-exclusions-only-ex

For more information, please refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#using-an-exclusion-list

Request you to have a look into these and in the meantime, I will check with the Azure WAF PG team to see if they can provide some insights on same.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The user voice page seems to have moved. It's now here https://feedback.azure.com/d365community/idea/8a9ec510-8b26-ec11-b6e6-000d3a4f0789.

It's still hugely frustrating that the only viable workarounds leave big security holes in our application.

1 Vote 1 ·

emphasized text
Hi @GitaraniSharmaMSFT-4262,

Have you got any further update. It is causing problem for me as well and i dont want to allow using custom rule.
Is there any way to exclude the cookie name itself from validation?

Thanks

0 Votes 0 ·

This is not a solution - there is currently no workaround except to completely disable the WAF rules which are matching. These happen to be some of the most important WAF rules, BTW. So no solution yet.

0 Votes 0 ·