App Insights cookies are blocked by Azure Firewall

Question

We use Application Insights on Frontend and we also use Azure Front Door with WAF(Web Application Firewall) policy.

I can see in WAF logs that a lot of requests are blocked by some WAF Managed Rules.

When I have inspected the WAF logs I found out that requests are blocked by value in cookies ai_session and ai_user (App insights cookies).

Rules that blocks requests:

• (942210) Detects chained SQL injection attempts 1/2 - block request because of OR value in ai_session cookie like this: D/6NkwBRWBcMc4OR7+EFPs|1647504934370|1647505171554
• (942450) SQL Hex Encoding Identified - block because of Ox value in ai_user cookie like this: mP4urlq9PZ9K0xc19D0SbK|2022-03-17T10:53:02.452Z
• (932150) Remote Command Execution: Direct Unix Command Execution - block because of ai_session cookie with value: KkNDKlGfvxZWqiwU945/Cc|1647963061962|1647963061962

Is there a way how to force App Insights to generate "secure" cookies?
Why does Azure generate cookie values that on the other side cause blocking requests by Azure Firewall?
I know that I can allow those WAF Rules but is there any other solution?

Answer 1

We have started to encounter this error as well; disabling (or setting to allowed) the OWASP rules as you indicated will work.

I have opened a bug report on the project page that outlines this in more detail here: https://github.com/microsoft/ApplicationInsights-JS/issues/1974 the jist of it, as you identified is the WAF rule's Regex being overzealous.

The IDs that are eventually used by the cookies are generated by this section of code:https://github.com/microsoft/ApplicationInsights-JS/blob/0c76d710a0cd465f0b8b5e143250898122511874/shared/AppInsightsCore/src/JavaScriptSDK/RandomHelper.ts#L125-L145

If the developers chose, they have various way to solve the problem:

1. Test the generated cookies against the list of known regex and then regenerate on failure.
2. Remove some of the offending combinations to avoid the rules entirely.

We'll have to see how that plays out. If you cannot do this, in theory you could branch the project and then add such changes yourself but I would not recommend vendoring the SDK.