Application Gateway WAF has essential rules disabled

app_gateway_waf_policy_rules

Severity

low

Vendor

Azure

Resource

WAF

Description

Azure application gateway should have WAF policy with essential rules enabled.

WAF provides some protection against application-layer attacks, and this rule enforces that application gateways enable a WAF with a proper mode.

To enable a Web Application Firewall on Application Gateway, you must create a WAF policy. This policy is where all the managed rules, custom rules, exclusions, and other customizations such as file upload limit exist.

A WAF policy consists of two types of security rules:

Custom rules.
Managed rule sets that are a collection of Azure-managed pre-configured set of rules like OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9.

Rules can be disabled on a rule-by-rule basis, or you can set specific actions by individual rule.

This detector could be configured to alert when certain essential rules are disabled, for example rule 944240 for JAVA that prevents attacks to applications with a vulnerable version of Apache Log4j 2 library.

See WAF Policy Rules for an introduction to Azure WAF Policy rules.

See WAF Core Rule Sets for an introduction to Azure WAF CRS rules.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies",
      "apiVersion": "2019-09-01",
      "name": "bad", (1)
      "location": "[resourceGroup().location]",
      "properties": {
        "policySettings": {
          "fileUploadLimitInMb": 100,
          "maxRequestBodySizeInKb": 128,
          "mode": "Prevention",
          "requestBodyCheck": true,
          "state": "Enabled"
        },
        "managedRules": {
          "exclusions": [],
          "managedRuleSets": [
            {
              "ruleSetType": "OWASP",
              "ruleSetVersion": "3.2",
              "ruleGroupOverrides": [
                {
                  "ruleGroupName": "REQUEST-944-APPLICATION-ATTACK-JAVA",
                  "rules": [
                    {
                      "ruleId": "944240",
                      "state": "Disabled"
                    },
                    {
                      "ruleId": "920320",
                      "state": "Disabled"
                    }
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  ]
}

1	WAF policy disables essential rules.

Terraform

resource "azurerm_web_application_firewall_policy" "bad_2" {
  name                = "example-wafpolicy2"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2"
      rule_group_override {
        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
        disabled_rules  = ["920300", "920440"]
      }
      rule_group_override {
        rule_group_name = "REQUEST-944-APPLICATION-ATTACK-JAVA"
        disabled_rules  = ["944240", "920320"] (1)
      }
    }
  }
}

1	FLAW, without 944240 Log4Shell will not be blocked by the WAF

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies",
      "apiVersion": "2019-09-01",
      "name": "good", (1)
      "location": "[resourceGroup().location]",
      "properties": {
        "policySettings": {
          "fileUploadLimitInMb": 100,
          "maxRequestBodySizeInKb": 128,
          "mode": "Prevention",
          "requestBodyCheck": true,
          "state": "Enabled"
        },
        "managedRules": {
          "exclusions": [],
          "managedRuleSets": [
            {
              "ruleSetType": "OWASP",
              "ruleSetVersion": "3.2"
            }
          ]
        }
      }
    }
  ]
}

1	WAF policy with essential rules enabled.

Terraform

resource "azurerm_web_application_firewall_policy" "bad_2" {
  name                = "example-wafpolicy2"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2"
      rule_group_override {
        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
        disabled_rules  = ["920300", "920440"]
      }
      rule_group_override {
        rule_group_name = "REQUEST-944-APPLICATION-ATTACK-JAVA"
        disabled_rules  = ["920320"] (1)
      }
    }
  }
}

1	Fixed, 944240 not disabled, WAF might see Log4Shell attacks

Configuration

The detector has two properties:

versionsAllowed, map keyed by managed ruleset name (like OWASP or Microsoft_BotManagerRuleSet) and value a regex pattern expressing the versions allowed.
rulesToBeKept, map with the list of rules considered essential and that SHOULD NOT be disabled, keyed by the rules group.

Example for app_gateway_waf_policy_rules.yml configuration file:

properties:
  # The versions allowed for the WAF policy, keyed by managed rule-set name.
  versionsAllowed:
    # Example: OWASP rule-set version 3.1 and later have the minimum essential rules as of today
    OWASP: '^[4-9]\.|^3\.[1-9]'

  # The essential rules that should NOT be disabled, keyed by group name.
  rulesToBeKept:
    # Example: rule for Log4Shell attack
    REQUEST-944-APPLICATION-ATTACK-JAVA: [ '944240' ]