3

I'm getting a '403 ModSecurity Action' on PUT requests to my API. Gets and Posts work as expected.

The first thing I thought about is that the WAF may be blocking specific Verbs (i.e. PUT), which is 'REQUEST-911-METHOD-ENFORCEMENT' More info here

But then the networking team managed to find the log for the request -

TimeGenerated: 2018-05-04T09:55:42Z
    AzureDiagnostics    5/4/2018 10:55:42.000 AM    AzureDiagnostics    ApplicationGatewayFirewall  ApplicationGatewayFirewallLog   WAF-CPP-01  52.233.137.239  OWASP   3.0 200002  Blocked Global  Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required.    JSON parsing error: parse error: invalid object key (must be a string)\x0a          cpp.api.cardiff.gov.uk  ApplicationGatewayRole_IN_0         

$table  AzureDiagnostics
TenantId    31c4d3f2-394f-4c06-833c-9d22912ec8ab
SourceSystem    Azure
TimeGenerated   2018-05-04T09:55:42Z
Type    AzureDiagnostics
ResourceId  /SUBSCRIPTIONS/ECA58BF3-DF5E-41E6-B113-BB96E1EBC768/RESOURCEGROUPS/RG-CPP-COREINFRASTRUCTURE/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WAF-CPP-01
OperationName   ApplicationGatewayFirewall
Category    ApplicationGatewayFirewallLog
Resource    WAF-CPP-01
ResourceGroup   RG-CPP-COREINFRASTRUCTURE
ResourceProvider    MICROSOFT.NETWORK
SubscriptionId  eca58bf3-df5e-41e6-b113-bb96e1ebc768
clientIp_s  52.233.137.239
ruleSetType_s   OWASP
ruleSetVersion_s    3.0
ruleId_s    200002
Message Mandatory rule. Cannot be disabled. Failed to parse request body.
action_s    Blocked
site_s  Global
details_message_s   Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required.
details_data_s  JSON parsing error: parse error: invalid object key (must be a string)\x0a
hostname_s  cpp.api.cardiff.gov.uk
instanceId_s    ApplicationGatewayRole_IN_0
requestUri_s    /Notification/api/Notification/
ResourceType    APPLICATIONGATEWAYS
clientPort_d    0

    AzureDiagnostics    5/4/2018 10:55:42.000 AM    AzureDiagnostics    ApplicationGatewayAccess    ApplicationGatewayAccessLog WAF-CPP-01                                              ApplicationGatewayRole_IN_0 52.233.137.239  PUT 

$table  AzureDiagnostics
TenantId    31c4d3f2-394f-4c06-833c-9d22912ec8ab
SourceSystem    Azure
TimeGenerated   2018-05-04T09:55:42Z
Type    AzureDiagnostics
ResourceId  /SUBSCRIPTIONS/ECA58BF3-DF5E-41E6-B113-BB96E1EBC768/RESOURCEGROUPS/RG-CPP-COREINFRASTRUCTURE/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WAF-CPP-01
OperationName   ApplicationGatewayAccess
Category    ApplicationGatewayAccessLog
Resource    WAF-CPP-01
ResourceGroup   RG-CPP-COREINFRASTRUCTURE
ResourceProvider    MICROSOFT.NETWORK
SubscriptionId  eca58bf3-df5e-41e6-b113-bb96e1ebc768
instanceId_s    ApplicationGatewayRole_IN_0
clientIP_s  52.233.137.239
httpMethod_s    PUT
requestUri_s    /Notification/api/Notification/
requestQuery_s  -
userAgent_s PostmanRuntime/7.1.1
httpVersion_s   HTTP/1.1
sslEnabled_s    on
host_s  cpp.api.cardiff.gov.uk
ResourceType    APPLICATIONGATEWAYS
clientPort_d    1,025
httpStatus_d    400
receivedBytes_d 1,360
sentBytes_d 185
timeTaken_d 56

The Error mentions that there is an error with the Request Body and that the JSON is incorrect. But everything seems fine my end :/

I've tested through swagger and postman.

tshepang
  • 12,111
  • 21
  • 91
  • 136
IeuanW
  • 228
  • 1
  • 9
  • 25
  • It would be good to see the audit.log part of that request. Without that, I'm not sure anybody can help in this issue. – airween Aug 02 '21 at 06:12
  • I think everything is there @airween: "details_message_s Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. details_data_s JSON parsing error: parse error: invalid object key (must be a string)\x0a" I am not sure what ModSec engine Azure uses these days (and thus which JSON body processor), but it might be a bug on their end. Could you share your JSON payload so we can reproduce on native ModSec? – dune73 Aug 02 '21 at 07:29
  • @dune73, that's why I asked the audit log, I assume that contains the payload :) – airween Aug 02 '21 at 11:19
  • If we're lucky, yes. :) But I guess we were too late noticing this question is 3 years old... – dune73 Aug 04 '21 at 07:40
  • we are facing the same issue, did you get any workaround? – IT 247 Pro Sep 21 '22 at 22:06

2 Answers2

0

We just had this exact issue with our WAF. The problem was not that the JSON was malformed, but that it was too large. I've been unable to find exact numbers on what constitutes a large JSON payload, but it occurs for us if the content-length of the request exceeds about 120-150kb.

Thomas
  • 1,512
  • 3
  • 12
  • 37
0

I had the same problem, and it turned out to be a limitation in the Application Gateway WAF Policy which only allowed it to inspect request bodies with a size under 128 kB.

The infrastructure is in Azure for me and apparently a version upgrade of the Application Gateway will allow bodies up to 2 MB to be inspected (and parsed).

For Application gateways in Azure the body size limitations are documented here: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#limits

Jens Roderus
  • 181
  • 9