Following link is throwing 403 – Forbidden
Web application hosted in Azure App service protected by Application Gateway throwing following error (403 – Forbidden) when we enter the following URL in the browser.https://app.mysha.pe/login?state=d:\boot.ini
noticed this 403 redirection is happening at Application Gateway level
we are unable to fix this issue because of it is App Gateway default behavior.
As per PEN testing, “The website exhibits behavior which hints that there may be an LFI/RFI vulnerability in the code”
Hello
@Sohaib Asghar
,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Could you please share the below details for further investigation on this issue?
What is the SKU of your Application gateway - v1 or v2?
If v1 SKU, could you please share your listener configuration?
If v2 SKU, could you please validate if mutual authentication is configured for this Application gateway?
Is WAF enabled with Detection mode or Protection mode?
Regards,
Hello
@Sohaib Asghar
,
I'm following up on my above comment. Could you please provide the requested details for further discussion on this issue?
Regards,
The SKU of the Application gateway is V1
It is listening on public front end IP, 443 protocol, with website cert uploaded, basic listener type.
It is enabled with Prevention mode.
Hello
@Sohaib Asghar
,
Thank you for the details.
I see that you are accessing the application gateway via a custom domain "app.mysha.pe".
Could you please validate if your App service is configured properly with the Application gateway?
You can refer the following article :
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal
Make sure that the DNS configuration is complete.
DNS is relevant in two places:
The DNS name, which the user or client is using towards Application Gateway and what is shown in a browser.
The DNS name, which Application Gateway is internally using to access the App Service in the backend.
Regards,
Hello
@Sohaib Asghar
,
Thank you for the update.
If the Application gateway configuration is all correct, then I believe the WAF is preventing the application page access and throwing 403 error as you have WAF enabled in "Prevention" mode.
I would request you to check the access logs for the error as it should have a message stating why it blocked a certain request/URL.
Refer :
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#firewall-log
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
Regards,
Hi
@GitaraniSharma-MSFT
,
Please find Application Gateway service blocked requests logs from Azure Logs, this looks valid and is controlled by Microsoft services where we don’t have any control on it I think.
URL blocked:
https://app.mysha.pe/login?state=d:\boot.ini
Application Gateway logs:
Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): OS File Access Attempt
Please let us know the way forward.
Kind Regards,
Sohaib
Will you please contact me via email or even better by phone? I would benefit from more hands on support, like a phone call, remote session or even in person. That way, we can walk thru the issues together and I can provide the information needed in order to resolve the issues. I would be very grateful! Is there a way for you too see my contact info? Or is that something I post here?
Hello
@Sohaib Asghar
,
Apologies for the delay in my response.
I understand that you have a Web application hosted in Azure App service protected by Application Gateway and it is throwing 403 error when you enter the following URL -
https://app.mysha.pe/login?state=d:boot.ini
in the browser.
Post discussion on this issue, we found that the configuration of Application gateway v1 is correct and the WAF is preventing the application page access and throwing 403 error as you have WAF enabled in "Prevention" mode. You found that the URL is hitting a mandatory rule in WAF, which cannot be disabled and would need the way forward to fix this issue.
If you believe that the blocked URL is safe and would like to let it pass through the WAF, you could use an Exclusion list.
Refer :
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#using-an-exclusion-list
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration
Example 2 from the below doc matches your scenario:
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration#example-2
So, you could setup an exclusion list as shown in the above example replacing your own values and it won't evaluate the string d:boot.ini, but it will still evaluate the parameter name state.
To add an exclusion, you need to create a WAF policy and associate it with your Application gateway.
Refer :
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview
You can also set the exclusion via Azure portal in your WAF policy as below:
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "
Accept the answer
" if the information helped you. This will help us and others in the community as well.
Hello
@Ariella Darlington
, to get support via phone/email and get hands on support via remote session, please raise a support request.
For your privacy, please do not share any Personal Identifiable Information (PII) such as your contact information here. Thanks!
Hello GitaraniSharmaMSFT-4262,
Thanks for the details, we believe that the blocked URL is not safe therefore we can't put it in exclude list. but our PEN testing team reported showing 403 here is as security vaulnarabiity, can you please confirm from Microsoft that throwing 403 in this case is the correct way and it is not any security risk so that we can pass your information to our PEN testing team.
Thanks
Hello
@Anji Keesari
,
403 code is directly served by the Application gateway when the Application Gateway WAF detects malicious traffic and blocks it. This behavior is correct and do not have any security risk.
Regards,
Allow me to jump in Gita and explain.
Our PEN Testing company raised an issue when the WAF returned a 403 error, citing that it pointed towards a response that confirmed a hacker may conclude this is a route to target. I think this is an entirely fair assessment on their part.
Hackers seek vulnerabilities. Getting a 403 is a common method to probe a deeper attack.
Appreciate you at the Mighty Microsoft, but are you saying that Microsoft have no issue or concern here, and thus we can just refer the PEN testers and any future clients who raise concerns to you here?
Ali Khan
Hello
@Ali Khan
,
I believed that the question asked by
@Anji Keesari
was "Is the WAF responding with 403 error, a correct behavior?". The answer to that question is yes, if the WAF detects malicious traffic, then it will block it with a 403 error. This is by design.
Refer :
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview#waf-modes
Now, I'm not aware of the exact scenario of the pen test results. What was the report? Is the error 403 itself is flagged as a vulnerability? Or it is exposing some server field/header in the error which is causing the vulnerability.
From my past working experience, I have seen customers reporting that the error exposes some server headers which are causing vulnerabilities for them.
For e.g. :
https://learn.microsoft.com/en-us/answers/questions/627494/index.html
App gateway v2 allows you to rewrite selected content of requests and responses with some limitations, which helps in such cases.
Refer :
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#limitations
I would need more details on your pen test reports to further comment on this issue.
Could you please share the exact pen test report/vulnerability?
Regards,
Hello, Gita
Thanks for your response. Very helpful.
The short answer to your question is that we don't expose any field/headers.
The issue the pen testers outline is simply that the 403 response itself should be neutralised to provide no clue to the user that there is something vulnerable to attack.
This is a fair request.
So it's the message itself that is the issue. Does this make sense?
Hello
@Ali Khan
,
Thank you for the update.
In this case, my suggestion is to configure a custom error page for the 403 WAF error.
You can configure a custom error page for a 403 web application firewall error or a 502 maintenance page.
Custom error pages can be defined at the global level and the listener level:
Global level - the error page applies to traffic for all the web applications deployed on that application gateway.
Listener level - the error page is applied to traffic received on that listener.
Both - the custom error page defined at the listener level overrides the one set at global level.
You must also specify a publicly accessible blob URL for the given error status code.
Refer :
https://learn.microsoft.com/en-us/azure/application-gateway/configuration-listeners#custom-error-pages
https://learn.microsoft.com/en-us/azure/application-gateway/custom-error
Kindly let us know if the above helps or you need further assistance on this issue.
Regards,
