Introduction
In the constantly changing world of cybersecurity, both flexibility and effective security are essential for safeguarding applications. To meet these needs, Microsoft Azure recently released, in General Availability, the independent configuration of size enforcement limits and inspection limits in Web Application Firewall (WAF) integrated in Application Gateway v2. This update also allows users to disable size limits for both request body and file uploads without affecting request body inspections. This enhancement will enable users to fine-tune these settings - providing the ability to balance their application security needs against request size requirements. In this blog, we explore this innovative new feature, covering its key aspects and capabilities.
Understanding Size Enforcement and Inspection Length
The Azure Web Application Firewall (WAF) is a cloud-native service that provides centralized protection of web applications from common exploits and vulnerabilities. Within Azure WAF, we have the Policy settings page. This page contains the size enforcement settings and inspection settings, each applicable to all rules within the policy and active when enforcement is enabled. These settings are:
Request Body Limit:
The above settings can be seen below:
For older WAF policies running Core Rule Set 3.1 or lower, and before the independent configuration of the settings was introduced (in CRS 3.2 and above), when the enforce request body inspection setting was turned on, it also enforced the maximum request body size and the maximum file upload size. If the request body inspection was turned off, the size enforcement fields (maximum request body size and maximum file upload size) were not applicable and could not be set.
The new update provides granular control, allowing for the independent configuration of enforcement size limits and request body inspections. It also increases flexibility for users, enabling them to configure how the WAF inspects requests, and if required, permitting larger requests to pass without blocking.
Configuring the New Size Enforcement and Inspection Limits
In this section, we look at a scenario for configuring the size enforcement limits and inspection limits and explore, through a series of tests, how these configurations impact requests coming through the Azure WAF.
For the scenario set-up, we have the following resources:
Our virtual machine has access to a web application which is running behind our Application Gateway and protected by Azure WAF.
Azure WAF Settings
We navigate our Web Application Firewall policy and select Policy Settings under the Settings menu on the left pane.
The values for the settings have been set up as follows:
Configuration Testing
After our Policy Setting configurations for the size enforcement and inspection limit have been complete, we proceed to our virtual machine for the tests. We conduct a series of 5 tests to showcase how our set size enforcement and inspection limit settings control requests.
From the Windows virtual machine, we open Postman. Our Postman setup has five pre-made requests to evaluate the policy settings we have configured.
On uploading the file, we click on ‘Send.” The file is successfully sent as it has not reached our maximum file upload limit (1MB). Even though we observe a “413 Request Entity Too Large” response code, this is the expected response as the response code is returning from the backend application itself and not the Azure WAF. Our file has successfully made it to the backend, the application itself cannot handle the body.
Once the file is seen in Postman, we click on “Send.” In the response pane, we receive a “403 Forbidden” response code. This indicates that the request has been blocked by Azure WAF as its size has exceeded our File Upload limit.
To verify the block action by Azure WAF, we navigate to our Application Gateway and select “Logs” under Monitoring and use the KQL query below to confirm the action taken:
AzureDiagnostics
| where Category contains "ApplicationGatewayFirewallLog"
| where Message contains "File upload length exceeded the limit"
We click on “Send” and immediately receive a “200 OK” response code message indicating that our request is successful.
We select our fourth request in Postman called Request Body Limit – Exceeded. The size of this request is 15.38KB.
We click on “Send” and immediately receive a “403 Forbidden” response code message indicating that our request is unsuccessful. Azure WAF has blocked the request as it has exceeded our limit of 15KB.
To verify the block action by Azure WAF, we navigate to our Application Gateway and select “Logs” under Monitoring and use the KQL query below to confirm the action taken:
AzureDiagnostics
| where Category contains "ApplicationGatewayFirewallLog"
| where Message contains "Request body length exceeded the limit"
Our fifth Postman request is called Request Body Limit Disabled- Malicious with a request body size of 99.82 KB. Within this request body, towards the end of the body, there is an embedded malicious SQL injection string:
We select the request and click on “Send”. We immediately receive a “403 Forbidden” code. Azure WAF has blocked the request as the malicious SQL injection string has been identified.
To verify the block of the malicious request body, we navigate to our Application Gateway and select “Logs” under Monitoring and use the KQL query below to confirm the actions taken:
AzureDiagnostics
| where Category contains "ApplicationGatewayFirewallLog"
| where Message == "SQL Injection Attack"
Using the transaction ID of this log, we can see that the malicious script was blocked as the inbound anomaly score was exceeded.
From the tests, we observe that Azure WAF’s behavior aligns with the configured settings, effectively blocking non-compliant requests while allowing valid requests. We are also able to disable the inspection settings, or the request body limit separate from each other providing more granular control for users depending on their environment and application requirements.
Conclusion
As we have seen, the new capabilities of Azure's Application Gateway WAF bring unprecedented control and precision to managing web application security. By allowing independent configuration of size enforcement limits and inspection lengths, Azure WAF not only enhances security but also adapts to the diverse and growing needs of modern applications. These updates not only demonstrate Microsoft's commitment to robust, customizable security solutions but also ensure that businesses can continue to operate efficiently without sacrificing protection against the latest threats. This flexibility is crucial for organizations striving to balance performance with stringent security requirements in a dynamic digital environment.
Resources
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.