{"id":233,"date":"2022-01-13T13:15:00","date_gmt":"2022-01-13T18:15:00","guid":{"rendered":"http:\/\/sycured.127.0.0.1.sslip.io\/?p=233"},"modified":"2024-01-14T11:27:23","modified_gmt":"2024-01-14T16:27:23","slug":"fix-azure-waf-ad-oidc","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/fix-azure-waf-ad-oidc","title":{"rendered":"Fix Azure WAF & AD OpenID Connect"},"content":{"rendered":"\n

When you’re using Azure WAF and Azure Active Directory OpenID Connect, you can experience the WAF blocking on the rule: SQL Comment Sequence Detected.<\/p>\n\n\n\n

This is the real solution, please don’t use the solution that Microsoft Azure gives you, it’s very dangerous.<\/p>\n\n\n\n\n\n\n\n

Microsoft Azure – Dangerous way<\/h2>\n\n\n\n

When you ask the support, they escalate and the only solution that they give you is: you need to disable this rule.<\/p>\n\n\n\n

What The Hell!<\/strong><\/p>\n\n\n\n

They want us to disable the rule for the entire WAF so the entire traffic.<\/p>\n\n\n\n

It’s easy to see that Microsoft will never change about stupid things and also about their services.<\/p>\n\n\n\n

The Right Way: Custom Rule<\/h2>\n\n\n\n

We just need to allow the traffic on a specific setting: a value at the beginning of a cookie.<\/p>\n\n\n\n

It’s not a joke, I use it in production and it works.<\/p>\n\n\n\n

The logic:<\/h3>\n\n\n\n

If: String<\/p>\n\n\n\n

Match:<\/p>\n\n\n\n

    \n
  • variable RequestHeaders<\/li>\n\n\n\n
  • Header name: Cookie<\/li>\n<\/ul>\n\n\n\n

    Operation: is<\/p>\n\n\n\n

    Operator: Begins with<\/p>\n\n\n\n

    Transformations: keep empty<\/strong><\/p>\n\n\n\n

    Match value: .AspNetCore.OpenIdConnect.<\/p>\n\n\n\n

    Then: Allow traffic<\/p>\n\n\n\n

    Screenshot from Azure Portal<\/h3>\n\n\n\n
    \"azure<\/figure>\n\n\n\n

    Never forget<\/h2>\n\n\n\n

    When you need to write and enable custom rules, keep in mind to restrict to required URLs when it’s not affecting all endpoints.<\/p>\n","protected":false},"excerpt":{"rendered":"

    When you’re using Azure WAF and Azure Active Directory OpenID Connect, you can experience the WAF blocking on the rule: SQL Comment Sequence Detected. This is the real solution, please don’t use the solution that Microsoft Azure gives you, it’s very dangerous.<\/p>\n","protected":false},"author":1,"featured_media":67,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"footnotes":""},"categories":[13],"tags":[10,19],"_links":{"self":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/233"}],"collection":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/comments?post=233"}],"version-history":[{"count":1,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/233\/revisions"}],"predecessor-version":[{"id":234,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/233\/revisions\/234"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media\/67"}],"wp:attachment":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media?parent=233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/categories?post=233"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/tags?post=233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}