WAF URL Check not matching

andimorris

I've setup a WAF template to try to only allow access to certain paths for a URL, and I think I've done this correctly, however I am having the connection reset by the WAF even when the path is the allowed one.

show waf policy
Total WAF policy number: 15
Max WAF policy file size: 256K
Name                                     Syntax   Template             Learning
-------------------------------------------------------------------------------
_testrecruit_path_url_check_             Check    Bind                 Yes

LL-LB-1-vBlade[1/1](axdebug)#show waf policy _testrecruit_path_url_check_
Name:                    _testrecruit_path_url_check_
Syntax:                  Check

In WAF Template:
                         testrecruit_path (for url-check)

Content:
     Matches      Value
----------------------------------------------------------------------------------------------------------------
     0            /ttest_webrecruitment/

[WAF] Template testrecruit_path active mode
[WAF] HTTP Request: GET /ttest_webrecruitment HTTP/1.1
[WAF] ---------------- Request Headers ----------------
[WAF] Host: testrecruitment.cardiffmet.ac.uk
[WAF] Connection: keep-alive
[WAF] Cache-Control: max-age=0
[WAF] Upgrade-Insecure-Requests: 1
[WAF] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
[WAF] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
[WAF] Accept-Encoding: gzip, deflate, br
[WAF] Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
[WAF] Cookie: _ga=GA1.3.1002587673.1501671139
[WAF] -------------------------------------------------
[WAF] New session created: Id=38dcf9f74f28f0
[WAF] Buffer overflow check...
[WAF] URI length: 21
[WAF] URI length 21 over limit (0)
[WAF] Template testrecruit_path active mode. Request denied by WAF. Resetting connection...

Can anyone please let me know where I'm going wrong?

[Deleted User]

Hi Andi,

The issue is provided in the logs. Whenever you move to active mode, many other checks are enabled in the WAF template, so please check them. The message below says that the issue is with the buffer overflow. This is a side effect of enabling WAF, so you must be sure to check all pages behind the URI and ensure none of the checks impact the site. You can modify these settings while the template is active.

[WAF] Buffer overflow check...
[WAF] URI length: 21
[WAF] URI length 21 over limit (0)

I've include a screen shot from Splunk. I believe it to be easier to troubleshoot WAF using a good syslog server as it makes the logs easier point out the issues. The screen shot shows where I have an active template with the correct url-check URI, however the HTTP max form fields caused the failure (deny). I modified the waf template max-parameters=2 and the site now passes.

WAF01 tempalte:

vThunder01-Active-affinity-def-vMaster[5/1]#show run waf template WAF01
!Section configuration: 1334 bytes
!
waf template WAF01
allowed-http-methods GET
buf-ovf disable
buf-ovf max-cookie-len 0
buf-ovf max-cookie-name-len 0
buf-ovf max-cookie-value-len 0
buf-ovf max-cookies-len 0
buf-ovf max-hdr-name-len 0
buf-ovf max-hdr-value-len 0
buf-ovf max-hdrs-len 0
buf-ovf max-line-len 0
buf-ovf max-parameter-name-len 0
buf-ovf max-parameter-total-len 0
buf-ovf max-parameter-value-len 0
buf-ovf max-post-size 0
buf-ovf max-query-len 0
buf-ovf max-url-len 0
ccn-mask
deny-action http-resp-403 "<html><title>Request Denied!</title><body><center><h1>Request Denied!</h1><p>If you have any questions contact the admin.</p></center></body></html>"
json-limit max-array-value-count 0
json-limit max-depth 0
json-limit max-object-member-count 0
json-limit max-string 0
log-succ-reqs
max-cookies 0
max-entities 0
max-hdrs 11
max-parameters 2
ssn-mask
template logging WAF-LOG-DATA01
url-check
xml-limit max-attr 0
xml-limit max-attr-name-len 0
xml-limit max-attr-value-len 0
xml-limit max-cdata-len 0
xml-limit max-elem 0
xml-limit max-elem-child 0
xml-limit max-elem-depth 0
xml-limit max-elem-name-len 0
xml-limit max-entity-exp 0
xml-limit max-entity-exp-depth 0
xml-limit max-namespace 0
xml-limit max-namespace-uri-len 0

andimorris

Ah I see. I was reading the (0) as a no match on the buffer overflow check.
Thanks for the really informative response. I'll check it out tomorrow and see how it goes.

andimorris

That's looking much better now, however what I require to happen is that the WAF allows anything following the path given

e.g. /ttest_webrecruitment/*

I remember reading somewhere that the URL check reads PCRE Regex, so I tried:
/\/ttest_webrecruitment\//g
but whilst the syntax passes, the WAF is still blocking any requests for paths beyond the given path.

[WAF] Template testrecruit_path active mode
[WAF] HTTP Request: GET /ttest_webrecruitment/wrd/run/etrec105gf.open?wvid=4385410jIi HTTP/1.1
[WAF] ---------------- Request Headers ----------------
[WAF] Host: testrecruitment.cardiffmet.ac.uk
[WAF] Connection: keep-alive
[WAF] Cache-Control: max-age=0
[WAF] Upgrade-Insecure-Requests: 1
[WAF] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
[WAF] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
[WAF] Referer: https://testrecruitment.cardiffmet.ac.uk/ttest_webrecruitment/wrd/run/etrec002gf.open
[WAF] Accept-Encoding: gzip, deflate, br
[WAF] Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
[WAF] Cookie: _ga=GA1.3.1002587673.1501671139
[WAF] -------------------------------------------------
[WAF] New session created: Id=fdaf10225238ffd5
[WAF] orig_len=61, sanity=124
[WAF] n_url[len=61,offset=0]=/ttest_webrecruitment/wrd/run/etrec105gf.open?wvid=4385410jii
[WAF] n_query_string[15]=wvid=4385410jii
[WAF] URL check: /ttest_webrecruitment/wrd/run/
[WAF] URL check failed: /ttest_webrecruitment/wrd/run/
[WAF] Template testrecruit_path active mode. Request denied by WAF. Resetting connection...

is there a way to do this? If I have to manually declare all of the paths I'm going to have to find a different way to do this as that will be just far too time consuming.

[Deleted User]

I am not aware of any way to allow the subsequent paths as you are requesting. It does make sense, but somewhat circumvents the url-check protection.

Someone else may know if it's possible, otherwise, it would be required to have all URI (full paths) that are valid in the folder directory structure for the website in the url-check policy file.

If it's an apache server, you could just do a quick bash script to list all the folders like this then paste them into the file:

find . -maxdepth 10 -type d -exec echo {} \;

I'm sure powershell could do same if windows if needed, but I don't have an example.

andimorris

Yeah I understand that I guess. Ideally I'd like to be able to say /thisfolder/* which would potentially stop any access to the root, plus any other folders that you might want to remain hidden from view. We used to do this in TMG and it worked a treat.

The bash script seems to work well, thanks for that. Struggling with the powershell version, but I'll see what I can do here.

Thanks again for your help.

andimorris

I now have this working with some aflex. Posting it up in case anyone needs it in the future.

when HTTP_REQUEST {

if { [string tolower [HTTP::uri]] starts_with "/path1/"} {
pool sg1
} elseif  { [string tolower [HTTP::uri]] starts_with "/path2/"} {
pool sg1
} elseif  { [string tolower [HTTP::uri]] starts_with "/path3/"} {
pool sg1
} else {

HTTP::respond 403
}
}