WAF URL Check not matching

A10 Networks Support Forum Forums Thunder and AX Series WAF URL Check not matching

This topic contains 6 replies, has 2 voices, and was last updated by avatar andimorris 4 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #12382
    avatar
    andimorris
    Member

    I’ve setup a WAF template to try to only allow access to certain paths for a URL, and I think I’ve done this correctly, however I am having the connection reset by the WAF even when the path is the allowed one.

    show waf policy
    Total WAF policy number: 15
    Max WAF policy file size: 256K
    Name                                     Syntax   Template             Learning
    -------------------------------------------------------------------------------
    _testrecruit_path_url_check_             Check    Bind                 Yes
    LL-LB-1-vBlade[1/1](axdebug)#show waf policy _testrecruit_path_url_check_
    Name:                    _testrecruit_path_url_check_
    Syntax:                  Check
    
    In WAF Template:
                             testrecruit_path (for url-check)
    
    Content:
         Matches      Value
    ----------------------------------------------------------------------------------------------------------------
         0            /ttest_webrecruitment/
    [WAF] Template testrecruit_path active mode
    [WAF] HTTP Request: GET /ttest_webrecruitment HTTP/1.1
    [WAF] ---------------- Request Headers ----------------
    [WAF] Host: testrecruitment.cardiffmet.ac.uk
    [WAF] Connection: keep-alive
    [WAF] Cache-Control: max-age=0
    [WAF] Upgrade-Insecure-Requests: 1
    [WAF] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
    [WAF] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    [WAF] Accept-Encoding: gzip, deflate, br
    [WAF] Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
    [WAF] Cookie: _ga=GA1.3.1002587673.1501671139
    [WAF] -------------------------------------------------
    [WAF] New session created: Id=38dcf9f74f28f0
    [WAF] Buffer overflow check...
    [WAF] URI length: 21
    [WAF] URI length 21 over limit (0)
    [WAF] Template testrecruit_path active mode. Request denied by WAF. Resetting connection...

    Can anyone please let me know where I’m going wrong?

    #12392
    avatar
    tjones
    Member

    Hi Andi,

    The issue is provided in the logs. Whenever you move to active mode, many other checks are enabled in the WAF template, so please check them. The message below says that the issue is with the buffer overflow. This is a side effect of enabling WAF, so you must be sure to check all pages behind the URI and ensure none of the checks impact the site. You can modify these settings while the template is active.

    [WAF] Buffer overflow check…
    [WAF] URI length: 21
    [WAF] URI length 21 over limit (0)

    I’ve include a screen shot from Splunk. I believe it to be easier to troubleshoot WAF using a good syslog server as it makes the logs easier point out the issues. The screen shot shows where I have an active template with the correct url-check URI, however the HTTP max form fields caused the failure (deny). I modified the waf template max-parameters=2 and the site now passes.

    WAF01 tempalte:

    vThunder01-Active-affinity-def-vMaster[5/1]#show run waf template WAF01
    !Section configuration: 1334 bytes
    !
    waf template WAF01
    allowed-http-methods GET
    buf-ovf disable
    buf-ovf max-cookie-len 0
    buf-ovf max-cookie-name-len 0
    buf-ovf max-cookie-value-len 0
    buf-ovf max-cookies-len 0
    buf-ovf max-hdr-name-len 0
    buf-ovf max-hdr-value-len 0
    buf-ovf max-hdrs-len 0
    buf-ovf max-line-len 0
    buf-ovf max-parameter-name-len 0
    buf-ovf max-parameter-total-len 0
    buf-ovf max-parameter-value-len 0
    buf-ovf max-post-size 0
    buf-ovf max-query-len 0
    buf-ovf max-url-len 0
    ccn-mask
    deny-action http-resp-403 “<html><title>Request Denied!</title><body><center><h1>Request Denied!</h1><p>If you have any questions contact the admin.</p></center></body></html>”
    json-limit max-array-value-count 0
    json-limit max-depth 0
    json-limit max-object-member-count 0
    json-limit max-string 0
    log-succ-reqs
    max-cookies 0
    max-entities 0
    max-hdrs 11
    max-parameters 2
    ssn-mask
    template logging WAF-LOG-DATA01
    url-check
    xml-limit max-attr 0
    xml-limit max-attr-name-len 0
    xml-limit max-attr-value-len 0
    xml-limit max-cdata-len 0
    xml-limit max-elem 0
    xml-limit max-elem-child 0
    xml-limit max-elem-depth 0
    xml-limit max-elem-name-len 0
    xml-limit max-entity-exp 0
    xml-limit max-entity-exp-depth 0
    xml-limit max-namespace 0
    xml-limit max-namespace-uri-len 0

    • This reply was modified 4 weeks, 1 day ago by avatar tjones.
    Attachments:
    You must be logged in to view attached files.
    #12422
    avatar
    andimorris
    Member

    Ah I see. I was reading the (0) as a no match on the buffer overflow check.
    Thanks for the really informative response. I’ll check it out tomorrow and see how it goes.

    #12462
    avatar
    andimorris
    Member

    That’s looking much better now, however what I require to happen is that the WAF allows anything following the path given

    e.g. /ttest_webrecruitment/*

    I remember reading somewhere that the URL check reads PCRE Regex, so I tried:
    /\/ttest_webrecruitment\//g
    but whilst the syntax passes, the WAF is still blocking any requests for paths beyond the given path.

    [WAF] Template testrecruit_path active mode
    [WAF] HTTP Request: GET /ttest_webrecruitment/wrd/run/etrec105gf.open?wvid=4385410jIi HTTP/1.1
    [WAF] ---------------- Request Headers ----------------
    [WAF] Host: testrecruitment.cardiffmet.ac.uk
    [WAF] Connection: keep-alive
    [WAF] Cache-Control: max-age=0
    [WAF] Upgrade-Insecure-Requests: 1
    [WAF] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
    [WAF] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    [WAF] Referer: https://testrecruitment.cardiffmet.ac.uk/ttest_webrecruitment/wrd/run/etrec002gf.open
    [WAF] Accept-Encoding: gzip, deflate, br
    [WAF] Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
    [WAF] Cookie: _ga=GA1.3.1002587673.1501671139
    [WAF] -------------------------------------------------
    [WAF] New session created: Id=fdaf10225238ffd5
    [WAF] orig_len=61, sanity=124
    [WAF] n_url[len=61,offset=0]=/ttest_webrecruitment/wrd/run/etrec105gf.open?wvid=4385410jii
    [WAF] n_query_string[15]=wvid=4385410jii
    [WAF] URL check: /ttest_webrecruitment/wrd/run/
    [WAF] URL check failed: /ttest_webrecruitment/wrd/run/
    [WAF] Template testrecruit_path active mode. Request denied by WAF. Resetting connection...

    is there a way to do this? If I have to manually declare all of the paths I’m going to have to find a different way to do this as that will be just far too time consuming.

    #12512
    avatar
    tjones
    Member

    I am not aware of any way to allow the subsequent paths as you are requesting. It does make sense, but somewhat circumvents the url-check protection.

    Someone else may know if it’s possible, otherwise, it would be required to have all URI (full paths) that are valid in the folder directory structure for the website in the url-check policy file.

    If it’s an apache server, you could just do a quick bash script to list all the folders like this then paste them into the file:

    find . -maxdepth 10 -type d -exec echo {} \;

    I’m sure powershell could do same if windows if needed, but I don’t have an example.

    #12572
    avatar
    andimorris
    Member

    Yeah I understand that I guess. Ideally I’d like to be able to say /thisfolder/* which would potentially stop any access to the root, plus any other folders that you might want to remain hidden from view. We used to do this in TMG and it worked a treat.

    The bash script seems to work well, thanks for that. Struggling with the powershell version, but I’ll see what I can do here.

    Thanks again for your help.

    #12592
    avatar
    andimorris
    Member

    I now have this working with some aflex. Posting it up in case anyone needs it in the future.

    when HTTP_REQUEST {
    
    if { [string tolower [HTTP::uri]] starts_with "/path1/"} {
    pool sg1
    } elseif  { [string tolower [HTTP::uri]] starts_with "/path2/"} {
    pool sg1
    } elseif  { [string tolower [HTTP::uri]] starts_with "/path3/"} {
    pool sg1
    } else {
    
    HTTP::respond 403
    }
    }
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Comments are closed.