Ends in:
7 DAYS
17 HRS
14 MIN
49 SEC
Ends in:
7 D
17 H
14 M
49 S
Open Closed

Requests blocked by OWASP scanner in Azure Application Gateway Firewall #3121


User avatar
0
LW created
  • ABP Framework version: 5.1.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Hello, we are deploying our project build on top of ABP to Azure. After the deployment, we found that some of the requests are blocked by the OWASP scanner in the Azure Application Gateway Firewall. The first block comes from the authentication call:

requestUri_s /connect/authorize?response_type=code\u0026client_id=OUR_APP_App\u0026state=UXB5Zmh6VWFST3BLVUZTbXVkdEt3dWpfdWF3dy56XzFFMDNyNURESlFRQnNi\u0026redirect_uri=https%3A%2F%2FOUR_APP-qa.lw.app\u0026scope=offline_access%20openid%20profile%20role%20email%20phone%20OUR_APP\u0026code_challenge=JG1J3rF5kFDd-kQNWu5Bi7ji-zOCKWuJ4b_zK0yADjA\u0026code_challenge_method=S256\u0026nonce=UXB5Zmh6VWFST3BLVUZTbXVkdEt3dWpfdWF3dy56XzFFMDNyNURESlFRQnNi\u0026culture=en\u0026ui-culture=en

Message Detects basic SQL authentication bypass attempts 3/3

ruleSetVersion_s 3.2

ruleGroup_s REQUEST-942-APPLICATION-ATTACK-SQLI

details_message_s Pattern match (?i:(?:["'](?:\\s*?(?:is\\s*?(?:[\\d.]+\\s*?\\W.*?[\"']|\d.+["']?\\w)|\\d\\s*?(?:--|#))|(?:\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+|\\|?[\\w-]{3,}[^\\w\\s.,]+)[\"']|[\%\u0026\u003c\u003e^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\|\||\\u0026\\u0026)\s+[\s\w+]+(?:sounds\s+like\s*?["'`]|regexp\s*?\(|[=\d]+x)|in\s*?\(+\s*?select)) at REQUEST_COOKIES.

details_data_s Matched Data: "uuid":" found within REQUEST_COOKIES:twk_uuid_6272619db0d10b6f3e709056: %7B%22uuid%22%3A%221.DECWNFunxcnpgYWrV82YSGHozzios3WMXMuV6utignc1kwKN9BEe3TVjnjGCKBM2TCtxVLGqUFfGNaX8VCZSQkz0Wb2xdIjkmk7pyyl343KA437h7YKdoYt6PKa2VEcY8hVOatTY%22%2C%22version%22%3A3%2C%22domain%22%3A%22lw.app%22%2C%22ts%22%3A1653031469585%7D

details_file_s REQUEST-942-APPLICATION-ATTACK-SQLI.conf

If we disable that rule, we encounter a couple of similar blocks where the pattern matching founds illegal characters in the request cookies: requestUri_s /api/app/***

Message SQL Comment Sequence Detected.

ruleSetVersion_s 3.2

ruleGroup_s REQUEST-942-APPLICATION-ATTACK-SQLI

details_message_s Pattern match (?:/\!?|\/|[';]--|--[\s\r\n\v\f]|--[^-]?-|[^\u0026-]#.?[\s\r\n\v\f]|;?\x00) at REQUEST_COOKIES.

details_data_s Matched Data: --F5xL1NDlpZthOfOfsLDkvkV1sMEefcR9Pd3u7i6Ap_m8rZALmz3YaT5tiyGccQvL1jexkpbFic8v_TNqzyp9Ke- found within REQUEST_COOKIES:XSRF-TOKEN: CfDJ8G_9tIpyArtNlo7jZliI7olinWNezAaJOZPmYgGvad_rNtd1Ia9uNi0eqRUNAs7--F5xL1NDlpZthOfOfsLDkvkV1sMEefcR9Pd3u7i6Ap_m8rZALmz3YaT5tiyGccQvL1jexkpbFic8v_TNqzyp9Ke-p2fz-iSA0WigEIeo13N67-TJ3LYX3rphCGyhx_zKSQ

details_file_s REQUEST-942-APPLICATION-ATTACK-SQLI.conf

I know this is only partially or not directly an ABP issue, but I'm looking for information if we can affect the token characters in some way in ABP. I suppose we cannot change the uuid- existence in the authorize call?


3 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    twk_uuid cookie seems to be related to a chat-related module named tawk.to.

    It doesn't seem to be related to ABP template. Is this related to your business code?

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    I know this is only partially or not directly an ABP issue, but I'm looking for information if we can affect the token characters in some way in ABP. I suppose we cannot change the uuid- existence in the authorize call?

    Ok, as I have investigated; this is from a library you use for your business and the cookie is set by that library.

    As it states in the Connection management cookies section of docs.tawk.help:

    The twk_idm_key cookie is a session cookie that is added only if no twk_uuid is found. It is destroyed once the page is closed.

    You can try to write a midware to check this cookie and sanitize the request but, if you alter the twk_uuid cookie, it may misbehave and won't work as intended. I would suggest black-listing the URL from azure or contact to tawk support.

  • User Avatar
    0
    LW created

    Ahh, I missed that it was related to tawk to integration which we have used in our application. Thank you for your answer!

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06