Questions tagged [web-application-firewall]
A web application firewall is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation.
web-application-firewall
265
questions
139
votes
2
answers
92k
views
Nginx startup prompt [emerg] no "events" section in configuration
In the X-WAF deployment, you need to create a new nginx configuration file. However, when testing the nginx configuration, an error is found and nginx cannot be started.
I refer to http://blog.51cto....
- 1,391
9
votes
2
answers
13k
views
How to use Firebase behind Firewall / Proxy?
We are running a simple application that connects to Firebase are reads some data. It fails to connect with the following timeout error:
@firebase/database: FIREBASE WARNING: {"code":"app/invalid-...
- 2,090
8
votes
2
answers
7k
views
Getting error as "The scope is not valid., field: SCOPE_VALUE, parameter: CLOUDFRONT", in terraform
I tried to create waf web acl using below terraform script with the region of one of my aws account (abc) as ap-southeast-1 in .aws/config file, But getting below error after applying it. whereas Same ...
- 151
8
votes
3
answers
7k
views
Azure API Management - How to get original IP when APM is behind WAF
We have below technical stack
Imperva WAF
API Management
WebApi in WebApp
This is current implementation
Client IPs are authenticated at WAF level
WAF IPs are whitelisted at APIM
APIM IP is ...
- 1,354
7
votes
1
answer
16k
views
AWS load balancer returns a 403 response?
When a call comes to a particular URL, AWS load balancer returns a 403 response. Once the browser cache is cleared, it will start working. it happens occasionally. What is the reason? No such response ...
- 475
5
votes
1
answer
18k
views
The SSL connection could not be established, see inner exception
I have an Integration project, where my RestAPI's call WCF services of other project to do some CRUD operations.
My project is built on .net core 2.2.102. I deployed my project in BETA environment(...
- 246
5
votes
0
answers
2k
views
Why does Chrome triggers the Azure App Gateway Web Application Firewall?
I have an Azure App Service sitting behind an Azure App Gateway on the WAF v2 tier. We are experiencing an issue where we get the 403 Forbidden response from the gateway in some Chrome browsers, yet ...
- 51
4
votes
1
answer
7k
views
How to whitelist an ip address in Azure WAF
I have an Azure Application Gateway Web Application Firewall using the OWASP 3.0 ruleset. I created a custom policy so I could create a custom rule which simply allows traffic if it's from a specific ...
- 15.7k
4
votes
3
answers
1k
views
Is a WAF necessary on Kubernetes?
When reading blog posts about WAFs and Kubernetes, it seems 90+ % of the posts are written by WAF-providers, while the remaining posts seem to be sceptical. So I would like to hear what your ...
- 3,504
4
votes
1
answer
4k
views
Azure App Service with WAF
I'm looking for some Azure security best practice advice. I've seen some articles around on how to do it, but not if its necessarily required.
I have a customer who would like to move to Azure and ...
- 360
4
votes
1
answer
476
views
Anybody using detrusion.com, web application firewall for ruby on rails
PS: I was doing to some random search and then I got detrusion.com.
Whats this web application firewall ?
How it works ?
Any performance hit, if yes then how much?
Should I use this destruction.com ...
- 43.6k
4
votes
1
answer
2k
views
Do you think we would need a CDN in front of an api gateway?
We are using AWS and using the Kong API gateway hosted in AWS.
Do you think we would need a CDN in front this API gateway?
We don't need much caching, as well as we can attach the WAF in AWS to ...
- 51
4
votes
0
answers
897
views
How to prevent false positive block in Azure WAF for password field
I'm using Azure Front door with a web application firewall policy. Managed rule set 1.0 is configured.
It all works pretty well, apart from the password field in the login page of my web site. I see ...
- 61
3
votes
3
answers
5k
views
How to create a wildcard to deny all requests from all ips in AWS WAF
I got a microservice in an ECS instance in AWS behind a WAF, I want to create these rules:
Allow specific IPs (done)
Allow all connections from inside the VPN (done)
Deny all the other requests.
The ...
- 348
3
votes
2
answers
1k
views
cloudformation - Is it possible to split a string and assign to property in a list?
How do I split a string and use the value for a property?
For example say I have the following string: SomeRule1,SomeRule2.
I want use this string to populate the exludedRules property of AWS::WAFv2::...
- 111
3
votes
1
answer
4k
views
Request blocked on azure waf when form fields have values as json strings
I have a form which has some input fields. Some of the input fields have json strings as values like
[{"actionItems":"1","actions":"Go To Home","...
- 891
3
votes
3
answers
3k
views
Google dialogflow IP addresses
I am building a Google Home application with DialogFlow.
Fulfillment is done via Webhook that points to my virtual machine
In the VM the 443 port is open and certificates are configured.
However now ...
3
votes
3
answers
5k
views
Blocking IP's using AWS WAF so that only users connected to a VPN can access CloudFront [closed]
Goal:
Use AWS WAF to filter out traffic that hits CloudFront so that only users connected to the OpenVPN network can access the web application.
OpenVPN assigns any connected user to an IP in the ...
- 113
3
votes
2
answers
4k
views
Trying to find the ARN pattern for AWS WAF regional
I'm playing around with writing IAM policies for an AWS WAF regional resource. I've created a rule for which I'm trying to see if I can write an IAM policy. That's where I realized that IAM policies ...
- 3,985
3
votes
1
answer
1k
views
Is Azure active directory vulnerable to DoS or DDOS attacks
If I add Azure AD to a cloud architecture do I still need to add a WAF to protect against DOS/DDOS specifically?
If attacks can’t get past authentication being the premises of the question.
- 113
3
votes
0
answers
5k
views
Blocking based on full URL and not just the URI in AWS WAF
I am using AWS WAF across multiple CloudFront distributions which go to different URLs. Generally speaking, it is working well. However, we have noticed particular activity on a few of the underlying ...
- 34.6k
3
votes
2
answers
3k
views
Azure WAF 403 Response
I'm getting a '403 ModSecurity Action' on PUT requests to my API. Gets and Posts work as expected.
The first thing I thought about is that the WAF may be blocking specific Verbs (i.e. PUT), which is '...
- 268
3
votes
0
answers
356
views
shadowd.flask_connector connector throwing 500 Internal server
I'm trying to connect Shadowd (Shadow Daemon) WAF (Web Application Firewall) with Flask connector from this Documentation
Even the normal "Hello world" program is throwing Internal server error. ...
- 554
3
votes
0
answers
1k
views
AWS images block
I'm working on an AWS Ubuntu Server protected by the WAF Shield and I'm seeing a strange (at least I think) behaviour.
When an image is uploaded to my system, some of them are being denied some not.
...
3
votes
0
answers
1k
views
Not able to block IP address via AWS WAF
I have created a Cloudfront distribution and associated a Web ACL rule with it that blocks all IP addresses that doesn't match my IP address condition. But it is not blocking any IP address. What am I ...
- 33
2
votes
2
answers
1k
views
How to whitelist VPC outbound traffic
How can we restrict outbound traffic from AWS VPC to the internet, for example limiting outbound traffic to certain trusted domains (URL “whitelisting”).
I was thinking on AWS WAF but it seems it ...
- 2,043
2
votes
6
answers
1k
views
Can I be safe with Web Application Firewall
I saw many web application firewall like mod_security with OWASP extention
If I use that in my server, can I be sure by 99% that no one can hack my site with PHP codes ? likes XSS ...
- 12.3k
2
votes
1
answer
899
views
Configuring WAF on Azure Front door services
I'm setting up WAF rules for azure front door services provided by Microsoft Azure. Currently, I'm using default ruleset 1.0 provided OTB to block top 10 OWSAP threats.
When default rules are ...
- 375
2
votes
1
answer
3k
views
Azure Front door WAF policy Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110 block request with Inbound Anomaly Score Exceeded message
I have front door and WAF configured for one of my web application. The WAF is currently in detection mode. While reviewing the logs, I majorly see below details in all the block requests
ruleName_s : ...
- 321
2
votes
1
answer
1k
views
Incapsula Rate Limit Per Second
I'm looking at the rate limiting on Incapsula, which limits requests etc. based on per minute.
Rate >= {api-rate;4}
Is there a way to rate limit based on per second?
So if an ip exceeds 1 request ...
- 331
2
votes
1
answer
1k
views
App Insights cookies are blocked by Azure Firewall
We use Application Insights on Frontend and we also use Azure Front Door with WAF(Web Application Firewall) policy.
I can see in WAF logs that a lot of requests are blocked by some WAF Managed Rules.
...
- 491
2
votes
0
answers
146
views
Linkedin Preview Scraper Agent is blocked on WAF
If someone wants to share a page/link from our public website on Linkedin, the preview doesn't get rendered properly. Also if we check the Post Inspector (https://www.linkedin.com/post-inspector) it ...
- 55
2
votes
0
answers
63
views
Why WAF blocks multiple spaces?
In my project we are using WAF. Recently I found a bug that is, when we are adding multiple spaced words in a textbox for example
Hello there, this is a multi spaced word collection
.
and ...
- 713
2
votes
1
answer
618
views
How can I implement a AWS WAF rule to restrict access of api gateway to the users of other accounts?
I need to write a WAF rule such that access to API gateway is blocked for the users of other AWS accounts.
for now, I'm exploring the implementation of WAF but I have managed to create CfnWebCl with a ...
- 313
2
votes
1
answer
1k
views
ERROR creating IPsets 'WAFLimitsExceededException'
I'm creating an AWS WAFV2 configuration (IP sets, webacls ..) with python and boto3.
I executed it and it worked at first but then I deleted from the console all the created resources and executed ...
- 53
2
votes
0
answers
533
views
Use both owasp CRS and Comodo modsecurity rule set simultaneously
In a modsecurity installation could I setup and use both owasp CRS (https://github.com/SpiderLabs/owasp-modsecurity-crs/) and Comodo rule set (https://waf.comodo.com/user/cwaf_revisions) ...
- 153
2
votes
1
answer
526
views
What IP-addresses do I need to allow the firewall to access geocoder.api.here.com?
We want to use heremaps geocoder.api.
Currently the calls to heremaps are stopped by our local firewall.
Our admins told me that it is not possible to add an URL to the firewall rules (geocoder.api....
2
votes
0
answers
519
views
AWS WAF vs google bots and other crawlers
I deployed AWS WAF for my ALB(use cloudformation template). And now I want to configure scan probe and bad bot rules to work with google and other search bots.How can I identify "good" bots?
- 21
2
votes
2
answers
3k
views
WAF Rule to block all http/https traffic using Azure Application gateway
When configuring WAFs I'm used to configuring the lowest priority rule to block all inbound http/https traffic. I then add higher priority allow rules to open up the access I require.
I cant see how ...
- 5,611
1
vote
1
answer
4k
views
Cloud Armor logs aren't very clear when rule is set as "Preview only"
I'm deploying WAF with Cloud Armor and I realized that the rules can be created in a "Preview only" mode and that there are Cloud Armor entries in Cloud Logging.
The problem is that when I ...
1
vote
2
answers
513
views
Need help decoding a cross site scripting javascript attack
Someone posted on Twitter (not sure if I can link it here) a cross site scripting bypass for Imperva Web Application Firewalls. Which looks as follows:
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:...
- 19
1
vote
4
answers
8k
views
is there any Web Application Firewall for asp.net? [closed]
I want to hardening my website against simple dos/xss/sqli/etc...
but I don't want to delve into security programming for now so I want to use a ready made class or library something like "...
- 5,210
1
vote
1
answer
2k
views
Whitelisting cross tenant subnet in storage account firewall in azure
I want to access a storage account residing in Azure AD Tenant(say tenant id T1) from a subnet(say S1) residing in other Azure AD Tenant(say tenant id T2). Using azure CLI I was able to add this ...
- 55
1
vote
1
answer
6k
views
WAF - 200003 Multipart Request Body Strict Validation
I have an application that was doing call to Azure Application Gateway and it was failing when the following rule was enforced:
RuleId: 200003
Description: Multipart Request Body Strict Validation
...
- 2,643
1
vote
1
answer
1k
views
AWS WAF with IP restriction
I have an AWS API Gateway which should only be accessed by requests coming from Salesforce IP ranges. How do I accomplish that in Cloudformation with AWS::WAFv2::WebACL?
- 391
1
vote
3
answers
2k
views
Denial of Service attack for One Time Password resend function
In our web application, we have a function where the user reset his/her password. Part of the process requires sending OTP via SMS. The thing is, we have a function in our page that allows user to ...
1
vote
1
answer
2k
views
Are there open-source WAF solutions?
I am looking for an open-source WAF solution that could be deployed in Kubernetes. I've looked a ModSecurity but it seems like good rules cost money and it also requires lots of tuning.
- 11
1
vote
1
answer
1k
views
Is it possible to use Amazon Web Application Firewall with application that not hosted on AWS instances?
I'm new with AWS WAF and get stuck with setting up it for application that hosts on some dedicated server. I didn't find any information how to set up it without migration to aws servers, but I found ...
- 11
1
vote
1
answer
1k
views
Set mod_security to detectionOnly for a specific page?
If mod_security is set to ON for the whole website, is there a way I can set specific pages to detection_only?
Use case is that the application is used to configure websites, and use of CSS or js is ...
- 6,115
1
vote
3
answers
3k
views
Azure cloud service Web App Not found -404
I've a webapp hosted in azure cloud service.
We would like to put the WAF infront of web app per setup below:
We have created a bladomain.com.au
The DNS record points to IMPERVA IP address
IMPERVA ...
- 17.2k