Authentication - mod_auth_openidc_state_ - mod_auth_openidc_session - Blocked - Azure WAF Rules #1001
Unanswered
GVijayAnand
asked this question in
Q&A
Authentication - mod_auth_openidc_state_ - mod_auth_openidc_session - Blocked - Azure WAF Rules
#1001
Replies: 1 comment 1 reply
-
|
Dear Team, Could you please provide any suggestions ? Thanks, |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
the session cookie and state cookie values are JWTs; sending JWTs in HTTP requests is common practice since OAuth 2.0 and OpenIDC Connect came along so you have to change this rule that seems to originate from the 90s; delete it if you're not using SQL behind in the protected application, or change it to something more specific if you do use SQL |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Dear All,
We have integrated our application authentication with mod_auth_openidc 2.4.12.1 module running on Windows 2019.
Highlevel Flow: Azure AppGateway -> Apache Servers (authentication Module) -> Authentication Services -> Azure AppGateway -> Apache Server -> Application Service.
1. During Authentication : mod_auth_openidc_state_<>
When accessing the Application some of the requests are blocked by Microsoft Azure WAF matching the rule - 942440 - SQL Comment Sequence [for example - if the cookies have "--"].
In this process, as the Session acknowledgement was not sent to the browser, interim mod_auth_openidc_state_<> cookie was available in the browser cache.
We tried to configure below parameters and validate the access, but cookies were still getting blocked in WAF.
OIDCCryptoPassphrase - To generate the encrypted state cookie
OIDCStateTimeout - To expire older cookies
OIDCStateMaxNumberOfCookies - To delete the earliest cookie
Example:
WAF Rule: Pattern match : (?:/\!?|\/|[';]--|--[\s\r\n\v\f]|--[^-]?-|[^\u0026-]#.?[\s\r\n\v\f]|;?\x00) at REQUEST_COOKIES.
Matched Data: --0d7rdttvDzgrjAgSp6WLuEACfKazB8Z7mXdDXnCK0Vc1LlBML4Nk0mGbZ1GcCidBVuldx84U8RKC2cbCAGliA8xU37n9udNvWyD6JmcexEPlsq4b2rhuX3a7Bbo7wg7JIrSYuNYdqfhFlrZNMw34J7xYu8jYCMJ2eyo6- found within REQUEST_COOKIES:mod_auth_openidc_state_m8BPzclnOmi0Ak7MRJe_0RP17tA: eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..sx6DDfCLQDUytxi0.BW3IO8ghmZpMsEYf_EZ5jo7SZkQN2lSCIRuZPCvv_gKgYjWc4InAvKtrDj0z8hJksIaCJotnmQ4GONMzd--0d7rdttvDzgrjAgSp6WLuEACfKazB8Z7mXdDXnCK0Vc1LlBML4Nk0mGbZ1GcCidBVuldx84U8RKC2cbCAGliA8xU37n9udNvWyD6J...
2. During Authentication : mod_auth_openidc_session:
After successful authentication, session cookies are also blocked by Microsoft Azure WAF matching the rule - 942440 - SQL Comment Sequence - presence of "--" in the cookie value
Example:
WAF Rule: Pattern match : (?:/\!?|\/|[';]--|--[\s\r\n\v\f]|--[^-]?-|[^\u0026-]#.?[\s\r\n\v\f]|;?\x00) at REQUEST_COOKIES.
Matched Data: --xoP- found within REQUEST_COOKIES:mod_auth_openidc_session: eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..87TXLDQLZCkeRKqi.G47hArzj8UlwM--xoP-DPWNJgU9y-Hb0xXd2vBlMKrj23JJmsmqWu-wS-KpIjGWef0aZKxSkhEX_OTIPR0g8tfQv9dVjMGfj692IxE_ZPAHLFgjSPp4SnO5XGUZRTop395Y0QjVMgA4Mb3kT1kucdXT8tl3eF6v4oE4cZkqwZqwWMbUD08e_D2bqvP8diU174YWriUPU1mMfoEAiIDI6U8K-wTA0MUEbcc3lMiTcuJkoV564cOHA-RhMpo-U-z8ABurj-Or8svJs_OWYXmS-fUyyO2Q2tXj3j8LcEYlvWCDgB0nVilTYyl7-Z9d4F2UiF1hzY2p3AWGVlZBVm2-rN5ltTTUpuGMgc5RfGQwodr18lHHYNyq...
Could you please provide suggestions/ pointers for generating values which will be allowed by generic OWASP 3.2 standards ?
Regards,
G.Vijay Anand
Beta Was this translation helpful? Give feedback.
All reactions