8

I have configured a Azure Application Gateway + WAF in front of an ASP.Net Core application running on an Azure WebApp. I have the the default OWASP 3.0 Rules set on and in Prevention mode.

The problem I have is that every request via the WAF fails in one way or another with some of the default set of rules returning a 403 - Forbidden status.

Looking through WAF logs I had found few rules failing.

  1. SQL Hex Encoding Identified

    {
    "message": "Warning. Pattern match \"(?i:(?:\\\\A|[^\\\\d])0x[a-f\\\\d]{3,}[a-f\\\\d]*)+\" at REQUEST_COOKIES:ASP.Net_Auth.",
    "data": "Matched Data: H0XAa4 found within REQUEST_COOKIES:AspNetCore.Auth: CfDJ8El_2vmJILFHjQYUCDWwttioV16BAlL12KiQnTLGZztGtA8P0xbo1MosAgmrkUk4IQ7pF5O4ZMJbmRHsHxYHq842rq_hr8FUyMhAMo_5mQ-C_5jBrkRWqUGrYHMa6fVIj4xtGOfku...",
}

  2. SQL Comment Sequence Detected

    "message": "SQL Comment Sequence Detected.",
"details": {
        "message": "Warning. Pattern match \"(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)\" at REQUEST_COOKIES:.AspNetCore.Identity.Application.",
        "data": "Matched Data: --Z35d...- found within REQUEST_COOKIES:.AspNetCore.Identity.Application: CfDJ8El_2vmJILFHjQYUCDWwttihjUTpJneEVE1l-3UeTx...",
        "file": "rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
        "line": "1053"
}

  3. PCRE limits exceeded 

    {
    "requestUri": "/api/ping?_=240477821",
    "message": "Execution error - PCRE limits exceeded (-8): (null)."
}

That url /api/ping has no return except 200 OK.

I can't find any good documentation on these rules and when and which rule should be enabled/disabled. I'm sure I can disable them but it feels to me that the WAF is very aggressive and picks up too many false positives.

Is there a default set of rules that are good and safe and compatible by default with an ASP.Net Core app?

Improve this question
1

1 Answer 1

Reset to default
1

OWASP 3.0 works based on the sum of scores which it gets in each rule. A single request will be processed by a set of rules and each rule will add a score to the request and at the end, if the score exceeds a limit, the request is blocked.

In your case, you can read the rule definition here and check what is the score each rule adds to the particular request.

The last rule PCRE limit is the mandatory rule which cannot be disabled was hit because of the score that the request got by other rulesets. So you need to track the other rulesets and disable or create an exclusion to get your site working.

Improve this answer
4
  • I also have one concern over here. If we have a rule 941140 and we are getting several PCRE limits exceeded exception for this rule. what will happen when we enable this rule for prevention, will WAF block these request or will it pass the request to next pipeline?
    – Himanshu Jain
    Mar 3, 2021 at 12:13
  • WAF will block the request
    – msrini-MSIT
    Mar 4, 2021 at 20:10
  • Thanks for your response. Is their a way to handle these kinds of error. Is it good to increase the execution rate to reduce the PCRE limit. Since I go through several articles and somewhere it is specified to increase the PCRE limit and somewhere it is not recommended. Its quite difficult to replicate these kind of scenarios and the solution to fix them.
    – Himanshu Jain
    Mar 5, 2021 at 4:57
  • It is not recommended to reduce PCRE limit. But if you are using Application gateway, you can use exclusions to bypass legitimate traffic
    – msrini-MSIT
    Mar 6, 2021 at 5:03

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.