cloud armor exclude uri failure

song · 02-20-2024 11:48 PM

How to make signature exception via uri？

test URL：https://www.test.com/aaa/?abc=test(1234)
Exclusion based on URI /aaa/, but it does not take effect


The command:
gcloud compute security-policies rules add-preconfig-waf-exclusion 100 
--security-policy=policyname 
--target-rule-set="xss-v33-stable" 
--target-rule-ids="owasp-crs-v030301-id942432-sqli" 
--request-uri-to-exclude "op=CONTAINS,val=/aaa/"

Configuration file section:
- action: deny(403)
description: ''
kind: compute#securityPolicyRule
match:
expr:
expression: evaluatePreconfiguredWaf('sqli-v33-stable')
exprOptions:
recaptchaOptions: {}
preconfiguredWafConfig:
exclusions:
- requestUrisToExclude:
- op: CONTAINS
val: /aaa/
targetRuleIds:
- owasp-crs-v030301-id942432-sqli
targetRuleSet: sqli-v33-stable
preview: false
priority: 100

Marvin_Lucero

Hi @song ,

It seems you have been using op field in the requestUrisToExclude section incorrectly. The op field should be set to EQUALS instead of CONTAINS. The EQUALS operation checks if the request URI exactly matches the specified value. You can review this documentation for more details.

You can check my example configuration file section :

- action: deny(403)
description: ''
kind: compute#securityPolicyRule
match:
  expr:
    expression: evaluatePreconfiguredWaf('sqli-v33-stable')
  exprOptions:
    recaptchaOptions: {}
  preconfiguredWafConfig:
    exclusions:
    - requestUrisToExclude:
      - op: EQUALS
        val: /aaa/
    targetRuleIds:
    - owasp-crs-v030301-id942432-sqli
    targetRuleSet: sqli-v33-stable
preview: false
priority: 100

The corresponding command should be :

gcloud compute security-policies rules add-preconfig-waf-exclusion 100 \
--security-policy=policyname \
--target-rule-set="xss-v33-stable" \
--target-rule-ids="owasp-crs-v030301-id942432-sqli" \
--request-uri-to-exclude "op=EQUALS,val=/aaa/"

This will correctly exclude requests with the URI /aaa/ from the sqli-v33-stable rule set. Let me know if this helps.

song

Hi Marvin:

thanks for your reply,

I changed the op from CONTAINS to EQUALS, but the test results still cannot be exclude.

the GUI:

the log:

Also, I pasted the command wrong：

--target-rule-set="xss-v33-stable" \

It should be as follows，but actually testing the command is fine

--target-rule-set="sqli-v33-stable" \

azunna1

I'm experiencing the same issue when using URI exclusions and CONTAINS. For example, if i want to exclude all requests with `/v1/abc/*` i use the exclusion URI CONTAINS `v1/abc/` but i still see the request being evaluated in the policy logs

nckrishna

@song , @azunna1
Please use this method to exclude the chosen URI paths from a WAF rule check.
For example, if I want a URL with '/ca-test' to be excluded from a sql injection attack, my match condition would be -

evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1}) && !request.path.matches('/ca-test')

By adding

!request.path.matches('/ca-test')

to the match condition, I ensure that whichever URL has '/ca-test' in it, is not matched.

azunna1

So what's the point of having the exclusions feature if it doesn't work as intended or is there something we're missing?

nckrishna

If we take an example of the below HTTP request which contains a SQL injection attack -

curl http://34.160.55.68/ca-test/getdata.php?EID=a%27%20OR%201=1%20%23&Password=

The whole URI has the path portion -

http://34.160.55.68/ca-test/getdata.php

and the query parameters version -

EID=a%27%20OR%201=1%20%23&Password=

Via the Exclude Request Fields method, we only excluded the path portion (excluding /ca-test)

It still continued to the check the query parameters portion - which had the SQL injection. So the rule got applied.

This is mentioned here (though not very clearly)

https://cloud.google.com/armor/docs/rule-tuning#request_uri

So, the correct way to do it in this case, is to ensure that we match right at the WAF rule stage, where if a particular path gets matched, exclude the check at the WAF rule itself, and not go into the Exclusion stage.

bobbake4

I am having the same issue where the URI should be excluded but the body of the request is triggering a block and I'm now wondering if my understanding of the exclusions is just wrong. I had thought that if I add an exclusion for the URI it would skip checking all aspects of the request if the URI matched. I now have a suspicion that adding a URI exclusion simply tells Armor to ignore checking the URI value itself against the rule but still check everything else. In my case, the body of the request for the matching URI is still checked and blocked if triggered. Can someone confirm if my suspicion is correct or not? I would like to add, ideally it would allow the entire request to skip a given rule not just the URI portion if it were a match.

nckrishna

Your understanding is correct @bobbake4 !
Please see the example, and explanation I gave in the response to azunna1 above