This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

cloud armor exclude uri failure

Posted on 02-20-2024 11:48 PM
song
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM 
How to make signature exception via uri?

test URL:https://www.test.com/aaa/?abc=test(1234)
Exclusion based on URI /aaa/, but it does not take effect


The command:
gcloud compute security-policies rules add-preconfig-waf-exclusion 100 
--security-policy=policyname 
--target-rule-set="xss-v33-stable" 
--target-rule-ids="owasp-crs-v030301-id942432-sqli" 
--request-uri-to-exclude "op=CONTAINS,val=/aaa/"

Configuration file section:
- action: deny(403)
description: ''
kind: compute#securityPolicyRule
match:
expr:
expression: evaluatePreconfiguredWaf('sqli-v33-stable')
exprOptions:
recaptchaOptions: {}
preconfiguredWafConfig:
exclusions:
- requestUrisToExclude:
- op: CONTAINS
val: /aaa/
targetRuleIds:
- owasp-crs-v030301-id942432-sqli
targetRuleSet: sqli-v33-stable
preview: false
priority: 100
3 3 306
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @song ,

It seems you have been using op field in the requestUrisToExclude section incorrectly. The op field should be set to EQUALS instead of CONTAINS. The EQUALS operation checks if the request URI exactly matches the specified value. You can review this documentation for more details.

You can check my example configuration file section :

- action: deny(403)
description: ''
kind: compute#securityPolicyRule
match:
  expr:
    expression: evaluatePreconfiguredWaf('sqli-v33-stable')
  exprOptions:
    recaptchaOptions: {}
  preconfiguredWafConfig:
    exclusions:
    - requestUrisToExclude:
      - op: EQUALS
        val: /aaa/
    targetRuleIds:
    - owasp-crs-v030301-id942432-sqli
    targetRuleSet: sqli-v33-stable
preview: false
priority: 100

 The corresponding command should be :

gcloud compute security-policies rules add-preconfig-waf-exclusion 100 \
--security-policy=policyname \
--target-rule-set="xss-v33-stable" \
--target-rule-ids="owasp-crs-v030301-id942432-sqli" \
--request-uri-to-exclude "op=EQUALS,val=/aaa/"

This will correctly exclude requests with the URI /aaa/ from the sqli-v33-stable rule set. Let me know if this helps.

 

Posted on --/--/---- --:-- AM
song
Bronze 1
Bronze 1
In response to Marvin_Lucero
Reply posted on --/--/---- --:-- AM

Hi Marvin:

thanks for your reply, 

I changed the op from CONTAINS to EQUALS, but the test results still cannot be exclude.

the GUI:

song_0-1709285533328.png

the log:

song_1-1709285647811.png

 

Also, I pasted the command wrong:

--target-rule-set="xss-v33-stable" \

It should be as follows,but actually testing the command is fine

--target-rule-set="sqli-v33-stable" \

 

Posted on --/--/---- --:-- AM
azunna1
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm experiencing the same issue when using URI exclusions and CONTAINS. For example, if i want to exclude all requests with `/v1/abc/*` i use the exclusion URI CONTAINS `v1/abc/` but i still see the request being evaluated in the policy logs 

Top Labels in this Space
Top Solution Authors
View all