asp.net - WAF is blocking ASP.NET website due to Scriptresource.axd
问题描述
ASP.NET (Framework 3.5, IIS 8.5, windows server 2012R2) with Ajax control toolkit is being blocked by WAF (Web Applications Firewall). Following is the screen shot from WAF
These are signatures from WAF
I tried disabling ajax components at the web page but still getting same problem.
Any suggestions ??
解决方案
It's referencing an ASP.NET padding attack vector that is rated "HIGH". Depending on your WAF this is probably a prebuilt signature blocking your application and may not be directly related to the Ajax controls.
There are several routes to take:
- Determine if you are in fact exposing sensitive IIS error codes during decryption and resolve in code. It's an old CVE so up-to-date ASP.NET will mitigate what it can. The rest is up to the developer.
- Validate your system is up to date on patches (ASP updates, Windows Updates, whatever updates). The Microsoft vulnerability was fixed in patch MS10-070.
- If this is in fact a true false positive, you'll need to train the WAF to treat this code and application behavior as acceptable. This is the last resort if you've exhausted code and patching and determined this is not the CVE causing the signature block.
Web application firewalls are very different from traditional firewall's (or NG) in that they need to be tailored to a specific application to work properly. It's a pain but it's needed to properly protect an individual application.
Your WAF should be able to run in a a learning transparent mode to understand acceptable behaviors and create a policy around default application behavior. Once the learning process is complete, you can then turn on an enforcing behavior and alert on errors. Then fix the errors in the WAF or in the application. Once that's complete you can then you can enforce and block on error. How this is accomplished is dependent on the WAF vendor.
Since this is a CVE signature block, you may need to dig deeper into how .Net is processing the URL.
推荐阅读
- java - 询问jetty如何嵌入maven中
- javascript - 如何在 oracle jet datepicker 中设置一周的第一天
- python - 如何将数据图添加到 Python 中的现有图表?
- java - 如何使用 java 14 使用 Java Web Start?
- node.js - 从反应上传文件到firebase失败
- php - 当使用 Laravel 添加新项目时,如何自动增加列以使值增加 1?
- node.js - 无法在 mongodb 查询中执行复杂的嵌套?
- wildfly - 仅在测试期间使用“测试配置文件”公开 REST 控制器
- javascript - 为tizen os“构建”一个react项目很热
- sql-server - SSDT 对视图对象有未解析的引用,但对过程工作正常