问题
ASP.NET (Framework 3.5, IIS 8.5, windows server 2012R2) with Ajax control toolkit is being blocked by WAF (Web Applications Firewall). Following is the screen shot from WAF
These are signatures from WAF
I tried disabling ajax components at the web page but still getting same problem.
Any suggestions ??
回答1:
It's referencing an ASP.NET padding attack vector that is rated "HIGH". Depending on your WAF this is probably a prebuilt signature blocking your application and may not be directly related to the Ajax controls.
CVE-2010-3332
There are several routes to take:
- Determine if you are in fact exposing sensitive IIS error codes during decryption and resolve in code. It's an old CVE so up-to-date ASP.NET will mitigate what it can. The rest is up to the developer.
- Validate your system is up to date on patches (ASP updates, Windows Updates, whatever updates). The Microsoft vulnerability was fixed in patch MS10-070.
- If this is in fact a true false positive, you'll need to train the WAF to treat this code and application behavior as acceptable. This is the last resort if you've exhausted code and patching and determined this is not the CVE causing the signature block.
Web application firewalls are very different from traditional firewall's (or NG) in that they need to be tailored to a specific application to work properly. It's a pain but it's needed to properly protect an individual application.
Your WAF should be able to run in a a learning transparent mode to understand acceptable behaviors and create a policy around default application behavior. Once the learning process is complete, you can then turn on an enforcing behavior and alert on errors. Then fix the errors in the WAF or in the application. Once that's complete you can then you can enforce and block on error. How this is accomplished is dependent on the WAF vendor.
Since this is a CVE signature block, you may need to dig deeper into how .Net is processing the URL.
来源:https://stackoverflow.com/questions/52205228/waf-is-blocking-asp-net-website-due-to-scriptresource-axd