Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive on 200004 MULTIPART_UNMATCHED_BOUNDARY #827

Closed
elexisvenator opened this issue Jun 29, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@elexisvenator
Copy link

commented Jun 29, 2017

Hi,

I have a .net application set up behind an Azure Application Gateway with WAF configured (owasp3.0).
When uploading files to this application I use the js File API to split the file into chunks, a common enough pattern. However, some of the chunks get blocked by the firewall (see below). This doesn't happen to all chunks but it is common enough that a 100mb file will probably encounter the issue.

I have created a barebones test website which reproduces the issue here: https://github.com/elexisvenator/AzureWAF-chunked-upload-test

I have contacted Microsoft support about this issue and while they acknowledge that the firewall is falsely blocking this request they are unwilling to disable this mandatory rule, citing that the rule is owned by a 3rd party (OWASP). They suggest that I ask here for the rule be revised.

I found a reference to MULTIPART_UNMATCHED_BOUNDARY in the ModSecurity reference manual that suggests that you should disable the rule if you get many false positives. Is this rule safe to disable if there are a large number of false positives? Should it be moved out of the 200* set of rules to make it easier to configure?

Thanks for any help you can provide

{
    "resourceId": "/SUBSCRIPTIONS/[sub]/RESOURCEGROUPS/[resource_group]/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/[applicaiton_gateway]",
    "operationName": "ApplicationGatewayFirewall",
    "time": "2017-06-28T23:26:21Z",
    "category": "ApplicationGatewayFirewallLog",
    "properties": {
        "instanceId": "ApplicationGatewayRole_IN_0",
        "clientIp": "IP ADDRESS",
        "clientPort": "0",
        "requestUri": "/api/File/Upload?resumableChunkNumber=8&resumableChunkSize=1048576&resumableCurrentChunkSize=1048576&resumableTotalSize=13411785&resumableType=application%2Fpdf&resumableIdentifier=068099c3-b1cd-7370-2176-29e843fa61dc&resumableFilename=NET-Microservices-Architecture-for-Containerized-NET-Applications-(Microsoft-eBook)%20(2).pdf&resumableRelativePath=NET-Microservices-Architecture-for-Containerized-NET-Applications-(Microsoft-eBook)%20(2).pdf&resumableTotalChunks=12",
        "ruleSetType": "OWASP",
        "ruleSetVersion": "3.0",
        "ruleId": "200004",
        "message": "Mandatory rule. Cannot be disabled. Multipart parser detected a possible unmatched boundary.",
        "action": "Blocked",
        "site": "Global",
        "details": {
            "message": "Access denied with code 403 (phase 2). Match of \"eq 0\" against \"MULTIPART_UNMATCHED_BOUNDARY\" required.",
            "data": "",
            "file": "",
            "line": ""
        }
    }
}
@dune73

This comment has been minimized.

Copy link
Collaborator

commented Jun 29, 2017

You are in a bad situation and I feel your pain.

The rule in question is recommended by the ModSecurity project (ModSecurity: The Engine), while you reported to the OWASP ModSecurity Core Rule Set project (The standard rules).
See here for the original recommendation: https://github.com/SpiderLabs/ModSecurity/blob/v2/master/modsecurity.conf-recommended

The rule depends on the MULTIPART_UNMATCHED_BOUNDARY variable of the engine which is not very good at detecting unmachted boundaries in multipart file uploads. This leads to false positives. It's a known problem and people usually disable the rule. Personally, I do not even include it in my configurations. See here for a brief discussion: https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/

The way to go is to at least disable the rule for your specific request.

Feel free to quote this message and to tell the support the author of the 2nd edition of the ModSecurity Handbook told you so.

Can you get me in touch with the Microsoft support? I would like to talk to them about their setup...

@dune73 dune73 closed this Jun 29, 2017

@elexisvenator

This comment has been minimized.

Copy link
Author

commented Jun 29, 2017

Thanks dune73,

I have forwarded your response to Microsoft Support.

@elexisvenator

This comment has been minimized.

Copy link
Author

commented Jul 3, 2017

For anyone who has this issue and stumbles across this thread, there is a Microsoft Feedback item you can track here: https://feedback.azure.com/forums/34192--general-feedback/suggestions/19773868-support-chunked-file-transfers-through-azure-appli

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.