Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

Anoop Mohanan-FT 21

Requesting help to create a WAF exclusion rule in AFD for the below scenario:

ruleName_s : DefaultRuleSet-1.0-RFI-931130
Action: Block

Matched Data: https://domainname found within QueryParamValue:redirect_uri: https://domainname/signin-oidc
details_matches_s:

[
{
"matchVariableName": "QueryParamValue:redirect_uri",
"matchVariableValue": "https://domainname/signin-oidc"
}
]

GitaraniSharma-MSFT 47,006 Reputation points Microsoft Employee

2022-06-28T10:41:16.727+00:00

Hello @Anoop Mohanan-FT ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please try the below WAF exclusion rule in AFD for your specified scenario and check?

Regards,
Gita
Anoop Mohanan-FT 21 Reputation points

2022-06-28T15:19:20.113+00:00

Thanks for the response.

Instead of mentioning redirect_uri , Can we mention the selector as

redirect_uri: https://domainname/signin-oidc

or

/signin-oidc
GitaraniSharma-MSFT 47,006 Reputation points Microsoft Employee

2022-07-01T09:01:11.893+00:00

Hello @Anoop Mohanan-FT ,

Apologies for the delay in response.

Per design, the values of the fields you use aren't evaluated against WAF rules, but their names are evaluated.

I've added the summary below in the answer section for your reference. Kindly let us know if helps or you need further assistance on this issue.

Regards,
Gita

1 answer

GitaraniSharma-MSFT 47,006 Reputation points Microsoft Employee

2022-07-01T09:03:06.677+00:00

Hello @Anoop Mohanan-FT ,

I understand that you would like help in creating a WAF exclusion rule in AFD for the below scenario:

ruleName_s : DefaultRuleSet-1.0-RFI-931130
Action: Block
Matched Data: https://domainname found within QueryParamValue:redirect_uri: https://domainname/signin-oidc
details_matches_s:
[
{
"matchVariableName": "QueryParamValue:redirect_uri",
"matchVariableValue": "https://domainname/signin-oidc"
}
]

Per design, the values of the fields you use aren't evaluated against WAF rules, but their names are evaluated.

So, if a header value, cookie value, post argument value, or query argument value produces false positives for some rules, you can exclude that part of the request from consideration by the rule as below:
If WAF logs shows - QueryParamValue:SOME_NAME, then the WAF exclusion should be - Query string args name Equals SOME_NAME
Refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#define-exclusion-based-on-web-application-firewall-logs

In your case, it is QueryParamValue:redirect_uri, so the WAF exclusion rule should be Query string args name Equals redirect_uri.

You can apply exclusion lists to all rules within the managed rule set, to rules for a specific rule group, or to a single rule.
Since, the block is triggering for DefaultRuleSet-1.0-RFI-931130, we need to select that particular RFI rule in the WAF exclusion config as below:

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Anoop Mohanan-FT 21 Reputation points

2022-07-04T09:04:45.65+00:00

Thanks for the response. We are looking for writing the exclusion more specific.
Would it be possible to check a specific domain under "matchVariableValue"? Requirement to mention only our redirect our domain

GitaraniSharma-MSFT 47,006 Reputation points Microsoft Employee

2022-07-05T14:18:08.497+00:00

Hello @Anoop Mohanan-FT ,

Please allow me some time to discuss this scenario with the backend team and get back to you with an update.

Regards,
Gita

GitaraniSharma-MSFT 47,006 Reputation points Microsoft Employee

2022-07-08T12:33:24.433+00:00

Hello @Anoop Mohanan-FT ,

I discussed this requirement with the Azure WAF Product Group team and below is their response:

WAF does not support excluding specific values. You can only exclude all values for a given argument key/name.

So you can setup the Exclusion rule either as Query string args name Equals redirect_uri OR Query string args name Equals redirect_uri: https://domainname/signin-oidc but the exclusion would have similar effects (i.e. ignore all values for the given parameter name).

Kindly let us know if it helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Aditya Parcha 0 Reputation points

2023-04-17T08:40:04.0533333+00:00

Hello @GitaraniSharma-MSFT , Could you please me in understanding this rule better. We are facing the issue with this rule , when we have the URL as below. https://qma-engageidentity.vmmcorp.com/Account/HomeRealm?ReturnUrl=/connect/authorize/callback?response_type=code&client_id=AdminId&redirect_uri=https://qma-admin.vmmcorp.com/&scope=openid Seems that is blocking this request as we have redirect Uri from other domain. We tried disabling the 931100- Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link rule and it is working fine. Disabling the rule is the only option we have? If not, Can you suggest the alternatives to fix this show stopper issue.

Aditya Parcha 0 Reputation points

2023-04-17T08:41:25.1766667+00:00

Hi @GitaraniSharma-MSFT ,

GitaraniSharma-MSFT 47,006 Reputation points Microsoft Employee

2023-04-20T12:30:32.6133333+00:00

Hello @Aditya Parcha ,

Could you please share the WAF log which blocks this URL?

Regards,

Gita
Sign in to comment