Introduction
In the constantly changing world of cybersecurity, both flexibility and effective security are essential for safeguarding applications. To meet these needs, Microsoft Azure recently released, in General Availability, the independent configuration of size enforcement limits and inspection limits in Web Application Firewall (WAF) integrated in Application Gateway v2. This update also allows users to disable size limits for both request body and file uploads without affecting request body inspections. This enhancement will enable users to fine-tune these settings - providing the ability to balance their application security needs against request size requirements. In this blog, we explore this innovative new feature, covering its key aspects and capabilities.
Understanding Size Enforcement and Inspection Length
The Azure Web Application Firewall (WAF) is a cloud-native service that provides centralized protection of web applications from common exploits and vulnerabilities. Within Azure WAF, we have the Policy settings page. This page contains the size enforcement settings and inspection settings, each applicable to all rules within the policy and active when enforcement is enabled. These settings are:
- Request Body Inspection:
- Enforce request body inspection - allows the Web Application Firewall to inspect the request body, applying both managed and custom rules according to the WAF policy’s settings.
- Maximum request body inspection limit – determines how deep into a request body the WAF will inspect and apply managed/custom rules. It is specified in Kilobytes (KB).
-
Request Body Limit:
- Enforce maximum request body limit – determines whether the WAF will impose a maximum size limit on request bodies. If disabled, it will not block any requests for exceeding size limits.
- Maximum request body size – controls the allowable size of a request body before the WAF blocks a request for surpassing the maximum size limit. It is specified in Kilobytes (KB).
- When the enforce maximum request body limit is disabled, the maximum size for requests is determined by the upper limits of the Application Gateway, which currently allows requests of up to 4GB. For more details on these limits, please refer to Azure subscription limits and quotas - Azure Resource Manager | Microsoft Learn.
- File Upload Limit:
- Enforce maximum file upload limit – determines whether the WAF will apply a maximum size limit on file uploads. If this setting is turned off, WAF will not reject any file uploads for exceeding size limits.
- Maximum file upload size - determines the maximum size a file upload can be before the WAF rejects the file upload for exceeding the maximum size limit. It is specified in Megabytes (MB).
- When the enforce maximum file upload limit is disabled, the upper size limit for file uploads is determined by the upper limits of the Application Gateway, which currently supports file uploads of up to 4GB. For additional information on these limits, please refer to Azure subscription limits and quotas - Azure Resource Manager | Microsoft Learn.
- It is also important to note that file uploads are only considered for requests with a Content-Type of multipart/form-data. To be treated as a file upload, content must be part of a multipart form and include a filename header. For all other content types, the request body size limit applies.
The above settings can be seen below:
For older WAF policies running Core Rule Set 3.1 or lower, and before the independent configuration of the settings was introduced (in CRS 3.2 and above), when the enforce request body inspection setting was turned on, it also enforced the maximum request body size and the maximum file upload size. If the request body inspection was turned off, the size enforcement fields (maximum request body size and maximum file upload size) were not applicable and could not be set.
The new update provides granular control, allowing for the independent configuration of enforcement size limits and request body inspections. It also increases flexibility for users, enabling them to configure how the WAF inspects requests, and if required, permitting larger requests to pass without blocking.
Configuring the New Size Enforcement and Inspection Limits
In this section, we look at a scenario for configuring the size enforcement limits and inspection limits and explore, through a series of tests, how these configurations impact requests coming through the Azure WAF.
For the scenario set-up, we have the following resources:
- Azure WAF policy (DRS 2.1) associated with an Application Gateway. The WAF policy is set to Prevention mode.
- Windows virtual machine.
- Postman (deployed in our Virtual Machine).
- Web application.
Our virtual machine has access to a web application which is running behind our Application Gateway and protected by Azure WAF.
Azure WAF Settings
We navigate our Web Application Firewall policy and select Policy Settings under the Settings menu on the left pane.
The values for the settings have been set up as follows:
- Maximum request body size – In our scenario, this has been set to 15KB. Requests with a request body bigger than 15KB will be blocked.
- Maximum file upload size – In our scenario, this has been set to 1MB. File uploads larger than 1MB will be blocked.
- Maximum request body inspection – This has been set initially to 15KB. With this setting, when a request body comes in, the Azure WAF will inspect up to 15KB of the request body. If the request is larger than 15KB, the rest of the request body will not be inspected.
- Aligning the maximum request body inspection limit with the body size limit, both set at 15KB in our example, ensures comprehensive inspection by the WAF, providing optimal security. This setup (having the same values for request body inspection and request body size) is recommended because it guarantees that the entire request is inspected, blocking any request that surpasses the user’s defined limits.
- However, in some scenarios, the user might want to reduce the maximum request body inspection limit to be lower than the maximum request body size limit to improve latency. This trade-off might increase performance but reduces the level of protection, as parts of the request may remain uninspected, potentially allowing malicious content to pass through. This approach should be used cautiously, understanding the balance between speed and security.
Configuration Testing
After our Policy Setting configurations for the size enforcement and inspection limit have been complete, we proceed to our virtual machine for the tests. We conduct a series of 5 tests to showcase how our set size enforcement and inspection limit settings control requests.
From the Windows virtual machine, we open Postman. Our Postman setup has five pre-made requests to evaluate the policy settings we have configured.
- The first test is on the Maximum File Upload Limit (sending a file that has not exceeded our 1MB limit). We select our first Postman request called Max File Upload – Not Exceeded and navigate to that request’s body tab. We select a file from our local machine (782KB in size) and upload it.
On uploading the file, we click on ‘Send.” The file is successfully sent as it has not reached our maximum file upload limit (1MB). Even though we observe a “413 Request Entity Too Large” response code, this is the expected response as the response code is returning from the backend application itself and not the Azure WAF. Our file has successfully made it to the backend, the application itself cannot handle the body.
- The second test is on the Maximum File Upload Limit (sending a file that has exceeded our 1MB limit). We select our second Postman request called Max File Upload – Exceeded and navigate to the body tab in the main window. On this test, we select and upload a file that is 1,954KB (1.95MB) in size:
Once the file is seen in Postman, we click on “Send.” In the response pane, we receive a “403 Forbidden” response code. This indicates that the request has been blocked by Azure WAF as its size has exceeded our File Upload limit.
To verify the block action by Azure WAF, we navigate to our Application Gateway and select “Logs” under Monitoring and use the KQL query below to confirm the action taken:
AzureDiagnostics
| where Category contains "ApplicationGatewayFirewallLog"
| where Message contains "File upload length exceeded the limit"
- The third test is for the maximum request body size (sending a request below our limit of 15KB). We select our third request in Postman called Request Body Limit – Not Exceeded. This request uses a JSON body to send a POST request to the application. The size of this request is 11.46KB, which is smaller than our 15KB limit.
We click on “Send” and immediately receive a “200 OK” response code message indicating that our request is successful.
- The fourth test is for the maximum request body size (sending a request above our limit of 15KB). In this test, we also disable the enforce request body inspection setting to showcase that the WAF can still enforce the body size limit, independent of the request body inspection.
We select our fourth request in Postman called Request Body Limit – Exceeded. The size of this request is 15.38KB.
We click on “Send” and immediately receive a “403 Forbidden” response code message indicating that our request is unsuccessful. Azure WAF has blocked the request as it has exceeded our limit of 15KB.
To verify the block action by Azure WAF, we navigate to our Application Gateway and select “Logs” under Monitoring and use the KQL query below to confirm the action taken:
AzureDiagnostics
| where Category contains "ApplicationGatewayFirewallLog"
| where Message contains "Request body length exceeded the limit"
- The fifth and final test is to demonstrate how the request body inspection stops a malicious attack. In this test, we disable the enforce maximum request body size setting to showcase that the WAF can allow larger requests while inspection is still running and prevent malicious attacks. We set our maximum request body inspection limit to 100KB and disable the enforce maximum request body limit:
Our fifth Postman request is called Request Body Limit Disabled- Malicious with a request body size of 99.82 KB. Within this request body, towards the end of the body, there is an embedded malicious SQL injection string:
We select the request and click on “Send”. We immediately receive a “403 Forbidden” code. Azure WAF has blocked the request as the malicious SQL injection string has been identified.
To verify the block of the malicious request body, we navigate to our Application Gateway and select “Logs” under Monitoring and use the KQL query below to confirm the actions taken:
AzureDiagnostics
| where Category contains "ApplicationGatewayFirewallLog"
| where Message == "SQL Injection Attack"
Using the transaction ID of this log, we can see that the malicious script was blocked as the inbound anomaly score was exceeded.
From the tests, we observe that Azure WAF’s behavior aligns with the configured settings, effectively blocking non-compliant requests while allowing valid requests. We are also able to disable the inspection settings, or the request body limit separate from each other providing more granular control for users depending on their environment and application requirements.
Conclusion
As we have seen, the new capabilities of Azure's Application Gateway WAF bring unprecedented control and precision to managing web application security. By allowing independent configuration of size enforcement limits and inspection lengths, Azure WAF not only enhances security but also adapts to the diverse and growing needs of modern applications. These updates not only demonstrate Microsoft's commitment to robust, customizable security solutions but also ensure that businesses can continue to operate efficiently without sacrificing protection against the latest threats. This flexibility is crucial for organizations striving to balance performance with stringent security requirements in a dynamic digital environment.
Resources
- Introduction to Azure Web Application Firewall | Microsoft Learn
- What is Azure Web Application Firewall on Azure Application Gateway? - Azure Web Application Firewall | Microsoft Learn
- General availability: Application Gateway Web Application Firewall (WAF) inspection limit & size enforcement | Azure updates | Microsoft Azure
- Web application firewall request size limits in Azure Application Gateway - Azure portal | Microsoft Learn
- CRS rule groups and rules - Azure Web Application Firewall | Microsoft Learn