question

SohaibAsghar-4735 avatar image
0 Votes"
SohaibAsghar-4735 asked GitaraniSharmaMSFT-4262 commented

Link is throwing 403 – Forbidden

Following link is throwing 403 – Forbidden

Web application hosted in Azure App service protected by Application Gateway throwing following error (403 – Forbidden) when we enter the following URL in the browser.https://app.mysha.pe/login?state=d:boot.ini

noticed this 403 redirection is happening at Application Gateway level

we are unable to fix this issue because of it is App Gateway default behavior.


As per PEN testing,  “The website exhibits behavior which hints that there may be an LFI/RFI vulnerability in the code”


187284-microsoftteams-image.png



azure-application-gatewayazure-webapps-ssl-certificates
microsoftteams-image.png (11.7 KiB)
· 8
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 ·

Hello @SohaibAsghar-4735 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please share the below details for further investigation on this issue?

  1. What is the SKU of your Application gateway - v1 or v2?

  2. If v1 SKU, could you please share your listener configuration?

  3. If v2 SKU, could you please validate if mutual authentication is configured for this Application gateway?

  4. Is WAF enabled with Detection mode or Protection mode?

Regards,
Gita

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 ·

Hello @SohaibAsghar-4735 ,

I'm following up on my above comment. Could you please provide the requested details for further discussion on this issue?

Regards,
Gita

0 Votes 0 ·
SohaibAsghar-4735 avatar image SohaibAsghar-4735 GitaraniSharmaMSFT-4262 ·

Hi @GitaraniSharmaMSFT-4262,

Thanks for helping out on this.

  1. The SKU of the Application gateway is V1

  2. It is listening on public front end IP, 443 protocol, with website cert uploaded, basic listener type.

  3. It is enabled with Prevention mode.

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 SohaibAsghar-4735 ·

Hello @SohaibAsghar-4735 ,

Thank you for the details.
I see that you are accessing the application gateway via a custom domain "app.mysha.pe".

Could you please validate if your App service is configured properly with the Application gateway?
You can refer the following article : https://docs.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal

Make sure that the DNS configuration is complete.

DNS is relevant in two places:
The DNS name, which the user or client is using towards Application Gateway and what is shown in a browser.
The DNS name, which Application Gateway is internally using to access the App Service in the backend.

Regards,
Gita

0 Votes 0 ·
Show more comments
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 ·

Hello @SohaibAsghar-4735 ,

Could you please provide an update on this issue?

Regards,
Gita

0 Votes 0 ·

2 Answers

GitaraniSharmaMSFT-4262 avatar image
1 Vote"
GitaraniSharmaMSFT-4262 answered

Hello @SohaibAsghar-4735 ,

Apologies for the delay in my response.

I understand that you have a Web application hosted in Azure App service protected by Application Gateway and it is throwing 403 error when you enter the following URL - https://app.mysha.pe/login?state=d:boot.ini in the browser.

Post discussion on this issue, we found that the configuration of Application gateway v1 is correct and the WAF is preventing the application page access and throwing 403 error as you have WAF enabled in "Prevention" mode. You found that the URL is hitting a mandatory rule in WAF, which cannot be disabled and would need the way forward to fix this issue.

If you believe that the blocked URL is safe and would like to let it pass through the WAF, you could use an Exclusion list.
Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#using-an-exclusion-list
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration

Example 2 from the below doc matches your scenario:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration#example-2
So, you could setup an exclusion list as shown in the above example replacing your own values and it won't evaluate the string d:boot.ini, but it will still evaluate the parameter name state.

To add an exclusion, you need to create a WAF policy and associate it with your Application gateway.
Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview

You can also set the exclusion via Azure portal in your WAF policy as below:

198301-image.png

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (47.4 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnjiKeesari-9169 avatar image
0 Votes"
AnjiKeesari-9169 answered GitaraniSharmaMSFT-4262 commented

Hello GitaraniSharmaMSFT-4262,

Thanks for the details, we believe that the blocked URL is not safe therefore we can't put it in exclude list. but our PEN testing team reported showing 403 here is as security vaulnarabiity, can you please confirm from Microsoft that throwing 403 in this case is the correct way and it is not any security risk so that we can pass your information to our PEN testing team.

Thanks
Anji

· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 ·

Hello @AnjiKeesari-9169 ,

403 code is directly served by the Application gateway when the Application Gateway WAF detects malicious traffic and blocks it. This behavior is correct and do not have any security risk.

Regards,
Gita

0 Votes 0 ·
AliKhan-9798 avatar image AliKhan-9798 ·

Allow me to jump in Gita and explain.

Our PEN Testing company raised an issue when the WAF returned a 403 error, citing that it pointed towards a response that confirmed a hacker may conclude this is a route to target. I think this is an entirely fair assessment on their part.
Hackers seek vulnerabilities. Getting a 403 is a common method to probe a deeper attack.
Appreciate you at the Mighty Microsoft, but are you saying that Microsoft have no issue or concern here, and thus we can just refer the PEN testers and any future clients who raise concerns to you here?
Ali Khan

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 AliKhan-9798 ·

Hello @AliKhan-9798 ,

I believed that the question asked by @AnjiKeesari-9169 was "Is the WAF responding with 403 error, a correct behavior?". The answer to that question is yes, if the WAF detects malicious traffic, then it will block it with a 403 error. This is by design.
Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview#waf-modes

Now, I'm not aware of the exact scenario of the pen test results. What was the report? Is the error 403 itself is flagged as a vulnerability? Or it is exposing some server field/header in the error which is causing the vulnerability.

From my past working experience, I have seen customers reporting that the error exposes some server headers which are causing vulnerabilities for them.
For e.g. : https://docs.microsoft.com/en-us/answers/questions/627494/index.html

App gateway v2 allows you to rewrite selected content of requests and responses with some limitations, which helps in such cases.
Refer : https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url
https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#limitations

I would need more details on your pen test reports to further comment on this issue.
Could you please share the exact pen test report/vulnerability?

Regards,
Gita

0 Votes 0 ·
AliKhan-9798 avatar image AliKhan-9798 ·

Hello, Gita

Thanks for your response. Very helpful.
The short answer to your question is that we don't expose any field/headers.

The issue the pen testers outline is simply that the 403 response itself should be neutralised to provide no clue to the user that there is something vulnerable to attack.
This is a fair request.

So it's the message itself that is the issue. Does this make sense?

Ali

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 AliKhan-9798 ·

Hello @AliKhan-9798 ,

Thank you for the update.

In this case, my suggestion is to configure a custom error page for the 403 WAF error.
You can configure a custom error page for a 403 web application firewall error or a 502 maintenance page.

Custom error pages can be defined at the global level and the listener level:
- Global level - the error page applies to traffic for all the web applications deployed on that application gateway.
- Listener level - the error page is applied to traffic received on that listener.
- Both - the custom error page defined at the listener level overrides the one set at global level.

You must also specify a publicly accessible blob URL for the given error status code.

Refer : https://docs.microsoft.com/en-us/azure/application-gateway/configuration-listeners#custom-error-pages
https://docs.microsoft.com/en-us/azure/application-gateway/custom-error

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,
Gita

0 Votes 0 ·