Question

How to configure mendix app to align with OWASP rules and azure WAF

0

Hello i have mendix application hosted on premise in front of that application there is azure WAF , most of legitimate connection get blocked , WAF vendor support they confirm i need to rebuild the response from mendox side to be align with owasp rules otherwies the application would be always blocked . any help how to reuild the aplication with OWASP rules, or there is spisafic configuration for azure WAF

asked 2020-06-30

Alaa Khazaleh

1 answers

Rom van Arendonk · Answer 1 · 2020-06-30

So, let met start of by saying that I am not familiar with the tool that is used to detect these issues. However, I am familiar with other automated scanning tools, and in my role as architect, it sometimes falls to me to explain why the results of an automated scan are not applicable. In this case, it is pretty clear that this is an automated process as well, and that it produces incorrect results:

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

In my experience, these kind of attacks are not applicable to a Mendix application: the platform ensures that this does not happen. What I usually do is engage in a conversation with the people performing the scans, ask them why they think there is a problem, and show them (somehow) that even though a certain request can be sent, it is handled differently than the scanning tool expects.

Do note though that “rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf “ may actually indicate an issue: out of the box, Mendix prevents XSS attacks, but custom widgets require developer attention to prevent XSS attacks. I would consider it worthwhile to investigate this issue, to ensure that XSS attacks are not actually possible.