Azure前门WAF阻止.AspNet.ApplicationCookie [英] Azure Front Door WAF is blocking .AspNet.ApplicationCookie

问题描述

我想知道是否还有其他人遇到过Azure Front Door和Azure Web应用程序防火墙的问题，并且有解决方案.

I'm wondering if anyone else has had this issue with Azure Front Door and the Azure Web Application Firewall and has a solution.

WAF正在阻止对我们的ASP.NET Web应用程序的简单GET请求.正在触发的规则是 DefaultRuleSet-1.0-SQLI-942440检测到SQL注释序列.

The WAF is blocking simple GET requests to our ASP.NET web application. The rule that is being triggered is DefaultRuleSet-1.0-SQLI-942440 SQL Comment Sequence Detected.

根据此截断示例，只能在.AspNet.ApplicationCookie中找到sql注释序列: RZI5CL3Uk8cJjmX3B8S-q0ou--OO--bctU5sx8FhazvyvfAH7wH .如果删除cookie值中的两个破折号'-'，则请求成功通过了防火墙.一旦将它们重新添加回去，该请求就会被相同的防火墙规则阻止.

The only place that I can find an sql comment sequence is in the .AspNet.ApplicationCookie as per this truncated example: RZI5CL3Uk8cJjmX3B8S-q0ou--OO--bctU5sx8FhazvyvfAH7wH. If I remove the 2 dashes '--' in the cookie value, the request successfully gets through the firewall. As soon as I add them back the request gets blocked by the same firewall rule.

看来我有2个选择.禁用我不想执行的规则(或将其从阻止"更改为日志")，或更改.AspNet.ApplicationCookie值，以确保它不包含任何会触发防火墙规则的文本. Cookie由Microsoft.Owin.Security.Cookies库生成，我不确定是否可以更改其生成方式.

It seems that I have 2 options. Disable the rule (or change it from Block to Log) which I don't want to do, or change the .AspNet.ApplicationCookie value to ensure that it does not contain any text that would trigger a firewall rule. The cookie is generated by the Microsoft.Owin.Security.Cookies library and I'm not sure if I can change how it is generated.

推荐答案

我遇到了类似的情况，并在此处写过博客:

I ran into something similar and blogged about it here: Front Door incomplete first request.

要对此进行测试，我创建了一个Web应用程序并将其置于Front Door服务的后面.在该测试应用程序中，我遍历HttpContext.HttpRequest的所有属性并将其打印出来.据我现在所看到的，直接请求和通过前门的请求之间有两个属性有所不同.对于前门请求，AcceptTypes和UserLanguages属性都为空，而在直接访问测试应用程序时，绝对填充了它们.

To test this I created a web application and put it behind the Front Door service. In that test application I iterate over all the properties of the HttpContext.HttpRequest and print them out. As far as I can see right now, there are two properties that have differences between a direct request and a request through Front Door. Both the AcceptTypes and the UserLanguages property are empty for Front Door requests, while they are absolutely filled in when directly accessing the test application.

我不太清楚第一个前门请求与直接请求不同的原因是什么.是虫子吗?是故意的，如果是，为什么?还是因为Front Door是使用不支持这些属性的框架开发的，而这些框架在转发时为空?

I’m not quite sure what the reason is for the first Front Door request to be different from a direct request. Is it a bug? Is it intentional and if so, why? Or is it because Front Door is developed using a framework that doesn’t support these properties, having them be empty when being forwarded?

不幸的是，我没有找到解决问题的方法，但是要回答是否有人遇到这种问题:我没有遇到过类似的事情.

Unfortunately I didn't find a solution to the issue, but to answer the question if anyone else is experiencing this: I did experience something similar.

这篇关于Azure前门WAF阻止.AspNet.ApplicationCookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！