0

I'm re-configuring an existing SOAP web service to run behind an Azure Application Gateway with Web Application Firewall.

The SOAP web service is written in C# and runs in Azure as a web role within an Azure Cloud Service. It supports both SOAP 1.1 and SOAP 1.2 at present.

I have configured an Azure Application Gateway, with the Web Application Firewall enabled, to run in front of this service. The WAF is using the OWASP 3.0 rule set.

Sending test requests from SoapUI, it appears that the Application Gateway WAF is allowing SOAP 1.1 requests through, but is blocking SOAP 1.2 requests (returning a 403 error). I can't find any reference to why this might be happening in the documentation or anything else. I know it's the WAF, because disabling it allows the SOAP 1.2 requests through.

The HTTP headers for the (working) SOAP 1.1 request look like this (service and namespace URLs removed):

POST http://{serviceURL}/{service}.asmx HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://{namespaceURL}/{method}"
Content-Length: 3672
Host: {serviceURL}
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

The HTTP header for the (not working) SOAP 1.2 request looks like this:

POST http:/{serviceURL}/{service}.asmx HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="http://{namespaceURL}/{method}"
Content-Length: 3652
Host: {serviceURL}
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Looking at the WAF logs, I think that the issue is the change to the Content-Type, which based on my (not in-depth) understanding of SOAP 1.2, is correct.

Any thoughts appreciated. It seems like SOAP remains in wide enough use that the Azure Appliction Gateway / WAF should support it.

dtopham75
  • 620
  • 6
  • 14
  • what error do you see in the WAF logs? – andresm53 Jul 03 '18 at 17:18
  • It says ""Request content type is not allowed by policy". The Content-Type for SOAP 1.1 is text/xml. For SOAP 1.2 it's application/soap+xml. I think the WAF is blocking this content type. The WAF implements the OWASP 3.0 policies. In the OWASP 3.0.1 release notes (https://raw.githubusercontent.com/SpiderLabs/owasp-modsecurity-crs/v3.0/master/CHANGES), it mentions this: * Support for RFC 3902 (Content Type application/soap+xml; Christoph Hansen). So it looks like the policy has been updated to handle this. But the WAF has not. – dtopham75 Jul 04 '18 at 12:35
  • I would suggest to open a support case with Microsoft, to see if they are planning to update the rules. In the meantime, as a workaround, you can disable that rule. Go to Application Gateway > Web Application Firewall > Advanced Rule Configuration > REQUEST-920-PROTOCOL-ENFORCEMENT and disable the rule 920420 – andresm53 Jul 04 '18 at 12:55
  • Thanks. Have logged a support ticket, and have disabled the offending rule. Now works. – dtopham75 Jul 05 '18 at 16:53

0 Answers0