Generated values for tab_id and session_code are blocked by AWS WAF

Hello Community!

Using login via user/password or via OIDC, during the request chain, there are two query params: tab_id and session_code.
Sometimes, these two query params may contain multiple dashes(-). When there are more than 2 dashes in a row, AWS WAF identify the request as SQL Injections. Double-dash sequence – is a comment indicator in SQL.

e.g. /auth/realms//login-actions/authenticate?session_code=<session_code>&execution=&client_id=<client_id>&tab_id=1- -sAGs187

Is there any configuration related to these query params in Keycloak?

Thank you.

2 Likes

Hi !!!

I have the same problem on an Azure WAF. Does anyone know how to fix the problem with the characters in tab_id or has it been fixed? It causes false positives and I don’t want to have to exclude the rule.

Thanks in advance.

Hi, I have the same problem on Azure WAF as well. Have you got the solution? Thanks

I think the solution is adding a whitelist rule in AWS WAF for these request.