User input is being blocked by Azure WAF

User input is being blocked by Azure WAF

by Roman Markin -
Number of replies: 2

Hi,

I have a question related to Moodle security and would appreciate any constructive help in resolving it.

We have a Moodle deployed on Azure cloud infrastructure with Azure WAF enabled. Like the other guys on this forum, we expectedly encountered the issues where WAF blocks harmless user input when it matches firewall rules.

Specifically, we have the following SQLI-related rule triggered in the form /mod/quiz/attempt.php:

Message

ruleId_s

ruleGroup_s

action_s

details_message_s

details_data_s

SQL Injection Attack

942480

REQUEST-942-APPLICATION-ATTACK-SQLI

Matched

Pattern match (?isad?:\\b(?sad?:s(?:elect\\b.{1,100}?\\b(?sad?sad?:length|count)\\b.{1,100}?|.*?\\bdump\\b.*)\\bfrom|to(?:p\\b.{1,100}?\\bfrom|_(?:numbe|cha)r)|(?:from\\b.{1,100}?\\bwher|data_typ)e|instr)|ys_context)|in(?:to\\b\\W*?\\b(?:dump|out)file|sert\\b\\W*?\\binto|ner\\b\\W*?\\bjoin)|u(?:nion\\b.{1,100}?\\bselect|tl_inaddr)|group\\b.*?\\bby\\b.{1,100}?\\bhaving|d(?:elete\\b\\W*?\\bfrom|bms_\\w+\\.)|load\\b\\W*?\\bdata\\b.*?\\binfile)\\b|print\\b\\W*?\\@\\@)|(?:\\W*?\\b(?:shutdown|drop)|collation\\W*?\\(a|\\@\\@version)\\b|'(?:s(?:qloledb|a)|msdasql|dbo)')) at ARGS.

Matched Data: insert into found within ARGS:q2330:9_answer: insert into


Together with our IT security team, we are looking for a solution that will remediate user input and keep us as secure as possible. In order to disable or make exceptions to WAF rules, we need to collect a body of justifications that Moodle will be able to withstand all the variety of SQLI attacks.

My request is to help me compose a list of such justifications. Here's what I already have:

1) double check that we are using the latest version of Moodle and there are no known SQL related security flaws reported in "Security Announcements" https://moodle.org/security/.

2) verify that all DB interactions in Quiz module are implemented through the dmllib methods and values are inserted in sql using the placeholders only (according to "What you need to do in your code recommendation" in https://docs.moodle.org/dev/Security:SQL_injection).

3) run a sql focused penetration test for quiz related controllers, e.g. with sqlmap.

4) ...(your suggestion)...

I also ask for advice, what are the options in principle to exclude such blocking of WAF requests and whether they are possible without modifying the Moodle core code.

Thank you,
--Roman

Average of ratings: -
In reply to Roman Markin

Re: User input is being blocked by Azure WAF

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

WAF is designed to protect simple websites, where all the GET and POST data values are expected to be very, very simple. It is definitely not designed, out-of-the box, to protect sites like Moodle, where people do things like discuss maths. Some of is heruistics are massively over-paranoid. (There was a time when we worked out that the reason a forum post was getting blocked was because the user was trying to post text whic included '1+1'. Yes, really!)

So, to use WAF with Moodle, you should definitely expect to have to customise the default ruleset, to disable a number of the exessively broad heursitcs. The way Moodle is coded, you should not need WAF, but if you tame its excesses, it can be useful belt-and-braces extra protection.

On our system, the rules we have disabled are:

              Name: AWSManagedRulesCommonRuleSet
              ExcludedRules:
                - Name: CrossSiteScripting_BODY
                - Name: CrossSiteScripting_QUERYARGUMENTS
                - Name: EC2MetaDataSSRF_BODY
                - Name: EC2MetaDataSSRF_COOKIE
                - Name: GenericLFI_BODY
                - Name: GenericRFI_BODY
                - Name: GenericRFI_QUERYARGUMENTS
                - Name: NoUserAgent_HEADER # This was breaking Moodle SOAP webservice, where it needs to load its own WSDL.
                - Name: RestrictedExtensions_QUERYARGUMENTS
                - Name: RestrictedExtensions_URIPATH
                - Name: SizeRestrictions_BODY
                - Name: SizeRestrictions_QUERYSTRING

              Name: AWSManagedRulesSQLiRuleSet
              ExcludedRules:
                - Name: SQLi_BODY
                - Name: SQLi_QUERYARGUMENTS
                - Name: SQLiExtendedPatterns_BODY

(If you don't have courses that teach about SQL databases, you might not need that second batch.)

Average of ratings: Useful (2)
In reply to Tim Hunt

Re: User input is being blocked by Azure WAF

by Roman Markin -

Hi Tim, 

Thanks a lot for your extended answer. This helped convince the security team to make exceptions to the WAF rules for our Moodle instance.

--Roman

Average of ratings: -