Web Application Firewall Cookie Exclusions only exclude Value checking not Name checking
I understand it is only a Preview, but my feedback on Exclusions... if I create an Exclusion as follows:
- Field = Request cookie name
- Operator = starts with
- Selector = Nonce
This appears to stop the WAF inspecting the value of any cookie whose name starts with "Nonce". What it doesn't do is exclude the checking of the name of the cookie itself.
For example a cookie called NonceABC--XYZ would still trigger the SQL Comment Sequence rule.
This is a problem when an ASP.Net Core application, that uses Open Id Connect authorisation, is put behind the Application Gateway and the WAF is turned on. This is because the ASP.Net Core implementation of the OIDC flow uses some cookies that it appends a random string to the name of, and that random string can often contain -- or fall foul of the SQL Hex Encoding rule.
Ideally I wouldn't have to turn off SQL injection checking for the entire site just because using an Identity Server makes use of a cookie whose name may trigger a WAF rule.
zhu jun commented
I think this is not just affecting ASP.Net Core application using Open Id Connect. It can happen for ASP.Net applications too. Just a single cookie with the doomed name like: "foo.0xdef" would easily trigger the blocking rule. We need a solution to exclude checking on cookie names not just the cookie value.
Filip Strycko commented
Ran into the same problem using OpenID Connect with mod_auth_openidc and WAF. In our case it is "code" GET parameter generated by Identity provider during authentication process that is causing problems.
Is there any other solution that disabling WAF rules for whole app?
Thanks for help!
Ian Iball commented
We are seeing this exact same error message with the same configuration.
Other than disabling the
SQL Comment Sequence Detected.
SQL Hex Encoding Identified
or changing the code, what have people done with this?
Fink, Michael commented
Just encountered this as we're seeing more usage of OIDC. Another unfortunate app gateway limitation...
Just ran in to the same issue. Annoying.