Azure Web App

crypto 21

Hi,
Does anyone know if it's possible or there is a service that can scan url's displayed in a webapp? We storing a string attribute of urls in a Cosmos DB, which is then rendered as a url /link in the front end webapp. Want to scan for and block urls that go to malicious sites. Does anyone know if this is possible?

crypto 21 Reputation points

2022-06-12T01:45:43.19+00:00

I don't know what happened to your 2 previous answers either, apologies...
risolis 8,701 Reputation points

2022-06-12T02:07:09.607+00:00

Hi,

Thanks for your response.

I did not understand your previous post... what did you mean?

Cheers,

Accepted answer

Rosen Katsarov 81 Reputation points

2022-06-14T11:13:43.483+00:00

If I understand your requirement correctly, you want to ensure that users are not entering malicious URLs / or said malicious URLs are purged / not stored from the databse?

You can subscribe for a threat intelligence service, like virus total, and have a backend app logic to check each entered URL against the API of such service for the URL score. Then based on the returned score you can consider it benign or malicious and take necessary actions (like, not saving it from the database, or if acting retrospectively, purge the entry).

Hope that make sense.

Regards,

Rosen
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

risolis 8,701 Reputation points

2022-06-10T06:38:29.667+00:00

Hello @crypto

Thanks for posting here.

I am wondering if I understood correctly your concern... Do you need a online service or feature from azure itself or any other vendor??

For instance, if you need to scan a website or check their TLS/SSL certificate you might use this as an online scan service.

https://www.ssllabs.com/ssltest/

But I do not know if you were referring to access restriction feature or SSL binding restriction....

Looking forward to your feedback,

Best Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
risolis 8,701 Reputation points

2022-06-10T06:47:28.177+00:00

Please check this one out as well.

https://learn.microsoft.com/en-us/azure/firewall/web-categories

Best Regards,

crypto 21 Reputation points

2022-06-11T01:38:57.693+00:00

Hi,

It's a strange requirement I understand. Looking for a native feature/service in Azure preferably, or potentially 3rd party vendor. We have users that will be entering urls into the web app front end. This is then stored as a string attribute in cosmos db, it is or can be rendered in the web app and clicked on by the users. Although normally you would expect the end users system be fronted by a proxy or firewall service to block malicious sites. It is possible that's not the case and the end user is allowed to click through to a malicious site from within the web app.

We would like to scan all urls stored in either the web app or cosmos db to ensure they're safe.

risolis 8,701 Reputation points

2022-06-11T04:37:17.227+00:00

Hi @crypto

Thank you for your explanation.

Let me try to address your concern by providing you this link below:

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview

You will find this image which seems to be pretty similar for you what have said previously.

Cheers!

risolis 8,701 Reputation points

2022-06-11T04:39:39.96+00:00

Having said that... I am sharing this other solution.

https://www.nginx.com/blog/securing-applications-microsoft-azure-app-service-nginx-plus/#:~:text=Basically%2C%20an%20application%20created%20with%20Azure%20App%20Service,protocols%20such%20as%20OAuth2%20or%20OpenID%20Connect%20%28OIDC%29.

BR,

risolis 8,701 Reputation points

2022-06-11T04:55:39.047+00:00

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwide

crypto 21 Reputation points

2022-06-12T01:37:10.177+00:00

Thanks, we are already running an Azure FD with a WAF. I'm not exactly sure which policy or where to configure it, so it won't allow a user to enter say a porn website into the webapp, I'm not sure how that would work, as my understanding is the webapp is rendering the url and the user on their system clicks on the link from their device, how would a WAF policy in my Azure environment prevent that? Thanks for your assistance.

risolis 8,701 Reputation points

2022-06-12T06:53:21.037+00:00

Your welcome!

For instance on my last link, you should have found this info...

Cheers

risolis 8,701 Reputation points

2022-06-12T06:55:27.123+00:00

BR,

crypto 21 Reputation points

2022-06-13T22:53:50.6+00:00

Hi @risolis ,

Thanks for your replies.

I think I left out a crucial piece of information, apologies. The end users of the webapp are business users who's accounts and devices are not manged by our Azure AD, it's like a consumer application. We have a B2C instance where the users have created local accounts to authenticate through to the webapp in our Azure AD tenant, so we have no control of what is running on their endpoint devices, and therefore cannot enforce defender for endpoint.

The user/consumer of the app has the ability to create a record in the app, in the record there has a field that allows an entry of a url. When the record is saved, it's saved into Cosmos DB. When that or another user that has access wants to view or edit the same record, the front end webapp renders the url to them. They can then click on it to be taken to the url of the website. They are essentially a business customer we have no control of.

I'm looking for a way to scan or filter a url/text field that is rendered in a front end webapp for malicious websites, either before it's stored into Cosmos DB or upon retrieval.

Hope I've clarified this.

risolis 8,701 Reputation points

2022-06-14T02:03:54.8+00:00

Hi @crypto

Thanks a lot for your entire explanation.

Now I got more familiar with it much better : )

I would say that you may be interesting in Azure AD DNS filtering along with IAM setting(If I am not mistaken).

All the suggestion discussed are useful as well but the one can fit into your case scenario is the one give previously.

Regards,

crypto 21 Reputation points

2022-06-14T04:46:07.987+00:00

Hi @risolis ,

If I'm reading your suggestion correctly, we would need to deploy something to the endpoints? If that's correct we can't do that as they are not our corporate devices. Did I misunderstand your suggestion, or do you have a link to point me to?

Cheers

risolis 8,701 Reputation points

2022-06-15T02:27:22.84+00:00

Hi @crypto

On the Endpoints is not required... It is just Azure AD DNS and then use a user policy.

Cheers
Sign in to comment