We have been running Keycloak in Azure for quite some while, using Azure Application Gateway (AG) as the front-end towards the Internet. Keycloak itself runs on a private IP address, on a private DNS Zone. We have also configured Azure DDoS protection on the AG public IP, and enabled Web Application Firewall (WAF) on the AG.
Now I have some problems when I’m trying to switch WAF from ‘Detection’ to ‘Prevention’ mode. It will give me quite a bunch of false positives when authenticating with external Identity Providers with SAML. The SAML data in the requests seem to randomly match with the WAF OWASP 3.2 rules, and in prevention mode this of course denies the access → login fails due to a false positive. Also the JWT’s seem to randomly match with OWASP rules.
My question is, has anybody collected any list of WAF rules which should be disabled? Or would it be better to create allow rules based on the RequestUri? What would be the best practice? I would really like to use WAF in preventive mode, but these false positives are driving me crazy…
So far my WAF override list contains these:
rule group REQUEST-942-APPLICATION-ATTACK-SQLI:
* 942340 Detects basic SQL authentication bypass attempts 3/3
* 942430 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
* 942440 SQL Comment Sequence Detected.
* 942450 SQL Hex Encoding Identified
rule_group REQUEST-931-APPLICATION-ATTACK-RFI:
* 931130 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
… but for example yesterday I got yet another false positive on logout, where the id_token_hint (base64-encoded JSON) happened to match with REQUEST-930-APPLICATION-ATTACK-LFI: 930120 OS File Access Attempt:
Pattern match from file lfi-os-files.data at ARGS.
{.nsr found within [ARGS:id_token_hint:eyJhbGciOiJ***]}
/auth/realms/***/protocol/openid-connect/logout?id_token_hint=eyJhbG***Yvissk&post_logout_redirect_uri=https%3A%2F%2F***%2F***%2F***2%2Flogout