{"id":233,"date":"2022-01-13T13:15:00","date_gmt":"2022-01-13T18:15:00","guid":{"rendered":"http:\/\/sycured.127.0.0.1.sslip.io\/?p=233"},"modified":"2024-01-14T11:27:23","modified_gmt":"2024-01-14T16:27:23","slug":"fix-azure-waf-ad-oidc","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/fix-azure-waf-ad-oidc","title":{"rendered":"Fix Azure WAF & AD OpenID Connect"},"content":{"rendered":"\n
When you’re using Azure WAF and Azure Active Directory OpenID Connect, you can experience the WAF blocking on the rule: SQL Comment Sequence Detected.<\/p>\n\n\n\n
This is the real solution, please don’t use the solution that Microsoft Azure gives you, it’s very dangerous.<\/p>\n\n\n\n\n\n\n\n
When you ask the support, they escalate and the only solution that they give you is: you need to disable this rule.<\/p>\n\n\n\n
What The Hell!<\/strong><\/p>\n\n\n\n They want us to disable the rule for the entire WAF so the entire traffic.<\/p>\n\n\n\n It’s easy to see that Microsoft will never change about stupid things and also about their services.<\/p>\n\n\n\n We just need to allow the traffic on a specific setting: a value at the beginning of a cookie.<\/p>\n\n\n\n It’s not a joke, I use it in production and it works.<\/p>\n\n\n\n If: String<\/p>\n\n\n\n Match:<\/p>\n\n\n\n Operation: is<\/p>\n\n\n\n Operator: Begins with<\/p>\n\n\n\n Transformations: keep empty<\/strong><\/p>\n\n\n\n Match value: .AspNetCore.OpenIdConnect.<\/p>\n\n\n\n Then: Allow traffic<\/p>\n\n\n\nThe Right Way: Custom Rule<\/h2>\n\n\n\n
The logic:<\/h3>\n\n\n\n
\n
Screenshot from Azure Portal<\/h3>\n\n\n\n