Click here to Skip to main content
15,887,288 members
Search within:


Encoding and decoding cookies to bypass WAF rules
Please Sign up or sign in to vote.
0.00/5 (No votes)
Hi,

I have a .net 6 web application, having azure ad authentication. Application is surrounded by azure application gateway . Gateway WAF rules are getting blocked and it is returning 403 error from gateway.

Root Cause: Microsoft Identity Web authentication generating cookies having special character like double hyphen (--) , WAF regex considering them as SQL comment and it is blocking that request.

What I have tried:

I have tried to write custom middleware to encode and decode the cookies , but it is not working.

I am also not able to understand the flow as well, as concept is not clear to me like I am decoding and encoding the cookies in server code in middle ware, but when a user is sending a request to web app, initial it will come to gateway and there it will be blocked by gateway. I am not sure how this type of solution can work.

Please share your suggestions may be if you have faced this issue apart from blocking rules in application gateway. Or how actually it will be resolved
Posted
Updated 8-Dec-23 3:28am
v2
Add a Solution

3 solutions

Take a look at Azure Web Application Firewall (WAF) v2 custom rules on Application Gateway | Microsoft Learn[^].
 
Share this answer
 
Posted
Comments
footballpardeep 7-Dec-23 13:22pm    
Hi Richard, thanks alot for quick response. We are not allowed to do any modifications at gateway, we have to handle it via code only.
Richard MacCutchan 8-Dec-23 3:43am    
Sorry, but I do not know the answer, but Andre's suggestions below may help.
Maciej Los 8-Dec-23 7:09am    
5ed!
Richard MacCutchan 8-Dec-23 7:38am    
Thanks Maciej. But, as is often the case, they will not use the features provided.
Andre Oosthuizen 8-Dec-23 15:08pm    
+5, Agreed, I think we show more effort answering than "them" taking time to post the question...
This is not at all my field of expertise or even near there..., I did however found the question interesting and started some googling and, yes I know, some AI advise.

It seems that your custom middleware for encoding and decoding cookies is correctly implemented
It seems you need to ensure that any headers added during encoding/decoding are included in the outgoing requests.
Make sure that your your Azure Application Gateway is not overly restrictive, and consider adjusting the WAF rules if necessary, I saw the comment that you have no control over this, just check and confirm the status.

To handle 'CustomMiddleware' in .NET, install the necessary packages (AI kicking in, no guarantees given here but help as a pointer in the right direction...) -
Bash
dotnet add package Microsoft.AspNetCore.Authentication
dotnet add package Microsoft.AspNetCore.Authentication.Cookies


Rest here copied and pasted using C3... -
C#
// CustomMiddleware.cs
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using System.Threading.Tasks;

public class CustomMiddleware
{
    private readonly RequestDelegate _next;

    public CustomMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext context)
    {
        // Decode or encode your cookies here
        // For example, decoding:
        // var decodedCookie = context.Request.Cookies["YourCookieName"];
        // var decodedValue = DecodeYourCookie(decodedCookie);
        
        // Encoding example:
        // var encodedValue = EncodeYourCookie(originalValue);
        // context.Response.Cookies.Append("YourCookieName", encodedValue);

        // Call the next delegate/middleware in the pipeline
        await _next(context);
    }
}


Register the middleware in your 'Startup.cs' -
C#
// Startup.cs
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;

public class Startup
{
    // Other configurations...

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        // Other middleware configurations...

        app.UseMiddleware<CustomMiddleware>();

        // Other middleware configurations...
    }
}


Agian, the code related parts is AI generated, might be completely out of sync on what you want to achieve but help as a pointer...
 
Share this answer
 
Posted
Comments
Maciej Los 8-Dec-23 7:08am    
5ed!
footballpardeep 9-Dec-23 20:19pm    
Hi Andre, Thanks for solution , I am trying something like this, I am able to encode the Cookies but existing cookies are still there , so it's creating a problem. Trying to resolve this issue.

Really appretiate for your help.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Encoding and Decoding Text
Decoding a run length encoded text
Encoding and decoding
encoding/decoding in C++
asp.net, encode and decode
Base64 encode and decode
error with encoding and decoding
Encoding and Decoding into binary
Encode & decode the value
Mp3 encoding and decoding

Advertise
Privacy
Cookies
Terms of Use
Last Updated 8 Dec 2023
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900