Questions tagged [web-application-firewall]

A web application firewall is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation.

From owasp:

A web application firewall is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

A far more detailed description is available at Wikipedia.

261 questions
1
vote
2 answers

Is there a way to lower anomaly score per request path and per rule in modsec?

Hi I am trying to tweak down the anomaly score for a web page that has free text in it. I have found the anomaly score can be customized per rule basis in the core rule set and that it can be increased overall. But I'd like to do this specifically…
Technoshaft
  • 679
  • 6
  • 18
1
vote
1 answer

Azure ARM Templates - Appication Gateway Web Application Firewall Configuration SelectorMatchOperator Syntax

I'm using an ARM template for creating an application gateway in Azure. When creating the web application firewall configuration section I'm adding exclusions in the firewall. One of the exclusions I'm trying to add has an operator of "Equals any".…
1
vote
1 answer

AWS WAF with IP restriction

I have an AWS API Gateway which should only be accessed by requests coming from Salesforce IP ranges. How do I accomplish that in Cloudformation with AWS::WAFv2::WebACL?
Tracy Xia
  • 371
  • 9
  • 22
1
vote
0 answers

Failed to load resource: the server responded with a status of 500 (Internal Server Error) webresource.axd , scripresource.axd

Failed to load resource: the server responded with a status of 500 (Internal Server Error) Request_Details.aspx:88 Uncaught Error: ASP.NET Ajax client-side framework failed to load. at…
1
vote
1 answer

AWS WAF IP blacklisting and Rate limiting

Can somebody clarify on how AWS WAF pricing works in the below mentioned scenarios Once the malicious IPs are blacklisted using IP sets, does the WAF charge us for the subsequent requests from those blacklisted IPs? When the requests are rate…
1
vote
1 answer

Getting error "errorMessage": "[Errno 30] Read-only file system: 'output.txt'" when im appending logs to the file

Im getting an error when im trying to append the filtered data to output.txt error:Response: { "errorMessage": "[Errno 30] Read-only file system: 'output.txt'", "errorType": "OSError", "stackTrace": [ [ …
1
vote
1 answer

What are the potential risks of not using a Web Application Firewall?

I develop and manage a small promotional/marketing website on Wordpress for a startup SaaS product. We're using Cloudflare for DNS and whatnot. Apparently the WAF has been turned on which uses a proxy and changes the user's IP address. i'm trying to…
Daveh0
  • 952
  • 9
  • 33
1
vote
0 answers

How to return Nginx proxy back (Python)

I used Nginx reverse proxy to “redirect” requests coming to localhost:80 to localhost:8085, where my python server is running it’s currently a web server written in Flask. And i need to do some transformations with that request and send it back to…
tmyn
  • 11
  • 3
1
vote
0 answers

Could not access to my application in digital ocean through public IP?

I faced an issue regarding the ufw ubuntu firewall rule in the digital ocean, I already allow the port in from anywhere but still, I can not access my application with public ip with the port that I allowed. How to allow the ufw firewall rule for my…
Jonh
  • 95
  • 1
  • 2
  • 13
1
vote
0 answers

After Hosting Says ' HTTP Error 403.0 - ModSecurity Action You do not have permission to view this directory or page.'

Angular Production Build and C# back end publish successfully completed. both dist and publish folder are uploaded to the Plesk server. After that, it shows the error enter image description here when the web application firewall is turned off,…
Arshad N
  • 11
  • 2
1
vote
4 answers

is there any Web Application Firewall for asp.net?

I want to hardening my website against simple dos/xss/sqli/etc... but I don't want to delve into security programming for now so I want to use a ready made class or library something like "mod_security" in linux. about a year ago I'd found a project…
Vahid Hashemi
  • 5,182
  • 10
  • 58
  • 88
1
vote
2 answers

AAD reply url is flagged by WAF in Azure

I have enabled the Web Application Firewall in the Azure FrontDoor with the default policy with the detection mode. In the logs generated by the WAF, we can see the firewall is marking the reply url set in AAD with action as Block. I believe the…
1
vote
1 answer

Why shouldn't we allow body in a GET or HEAD request?

I'm coming to this from the InfoSec side, not the AppDev side, I just wanted to put that caveat in first. The issue is that my WAF is blocking certain images with the response, HTTP protocol compliance failed:Body in GET or HEAD requests. I need to…
centre21
  • 21
  • 4
1
vote
3 answers

Denial of Service attack for One Time Password resend function

In our web application, we have a function where the user reset his/her password. Part of the process requires sending OTP via SMS. The thing is, we have a function in our page that allows user to resend the OTP in case it was not received due to…
1
vote
0 answers

AWS cloudformation WAF request header (x-token) is not empty and allow it

Trying to create a cloud formation template to configure WAF with header empty or not check condition and pass the request accoringly to the ALB . Couldnt find the right template yet. Any pointers would be…