英文:
AAD reply url is flagged by WAF in Azure
问题
我已启用Azure FrontDoor中的Web应用程序防火墙,使用默认策略和检测模式。
在WAF生成的日志中,我们可以看到防火墙正在将设置在AAD中的回复URL标记为动作为"Block"。
我认为防火墙将其视为威胁。
由于URL对于AD身份验证的工作是必需的,有什么方法可以确保安全性?
还是可以忽略这个问题?
英文:
I have enabled the Web Application Firewall in the Azure FrontDoor with the default policy with the detection mode.
In the logs generated by the WAF, we can see the firewall is marking the reply url set in AAD with action as Block.
I believe the firewall is detecting this as threat.
Since the url is required for the working of AD authentication, what can be done to ensure the security ?
Or this can be ignored ?
答案1
得分: 1
前往Front Door WAF策略的WAF策略
,点击托管规则
。折叠全部并点击相关策略,将操作更改
为允许
。然后刷新Front Door中的WAF,它将生效。
您可以使用Azure Front Door创建自定义WAF规则,并参考应用程序网关中的禁用规则来修复误报。
英文:
Go to your WAF policy
of Front Door WAF policy and click Managed rules
. Collapse all and click the related policy and change action
to Allow
. Then refresh the WAF in front door, it will apply.
You could custom rules for WAF with Azure Front Door and refer to the disable rule in app gateway to fix false positives.
答案2
得分: 0
以下是翻译好的部分:
"你不应该需要回复URL来正确运作,因为它实际上只在获取访问令牌时才需要。如果你已经获取了访问令牌,并且不需要访问回复URL,那么这不应该是你需要担心的事情。
如果你想为你的应用程序获取回复URL,你可以解除阻止,但假设你知道回复URL是安全的,不应该有任何安全问题。
根据文档:https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
重定向URI或回复URL是授权服务器在应用程序成功获得授权代码或访问令牌并被授权后将用户发送到的位置。代码或令牌包含在重定向URI或回复令牌中,因此在应用注册过程中注册正确的位置非常重要。"
英文:
You shouldn't need the reply URL to properly as it's really only required to get the access token. If you're getting the access token and you don't need access to the reply url, this shouldn't be something you need to worry about.
If you would like to get to the reply url for purposes of your application, you could unblock it, but there shouldn't be any security issues assuming you know that the reply url is secure.
Per the docs : https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
> A redirect URI, or reply URL, is the location that the authorization server will send the user to once the app has been successfully authorized, and granted an authorization code or access token. The code or token is contained in the redirect URI or reply token so it's important that you register the correct location as part of the app registration process.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论