WAF is blocking ASP.NET website due to Scriptresource.axd
ASP.NET (Framework 3.5, IIS 8.5, windows server 2012R2) with Ajax control toolkit is being blocked by WAF (Web Applications Firewall). Following is the screen shot from WAF
These are signatures from WAF
I tried disabling ajax components at the web page but still getting same problem.
Any suggestions ??
It's referencing an ASP.NET padding attack vector that is rated "HIGH". Depending on your WAF this is probably a prebuilt signature blocking your application and may not be directly related to the Ajax controls.
There are several routes to take:
- Determine if you are in fact exposing sensitive IIS error codes during decryption and resolve in code. It's an old CVE so up-to-date ASP.NET will mitigate what it can. The rest is up to the developer.
- Validate your system is up to date on patches (ASP updates, Windows Updates, whatever updates). The Microsoft vulnerability was fixed in patch MS10-070.
- If this is in fact a true false positive, you'll need to train the WAF to treat this code and application behavior as acceptable. This is the last resort if you've exhausted code and patching and determined this is not the CVE causing the signature block.
Web application firewalls are very different from traditional firewall's (or NG) in that they need to be tailored to a specific application to work properly. It's a pain but it's needed to properly protect an individual application.
Your WAF should be able to run in a a learning transparent mode to understand acceptable behaviors and create a policy around default application behavior. Once the learning process is complete, you can then turn on an enforcing behavior and alert on errors. Then fix the errors in the WAF or in the application. Once that's complete you can then you can enforce and block on error. How this is accomplished is dependent on the WAF vendor.
Since this is a CVE signature block, you may need to dig deeper into how .Net is processing the URL.
- In .net core how to download a static file with special extension in web root?
- "The name "TextBox" does not exist in the current context" errors during a few tutorials
- Name does not exist in the current context
- Uncaught TypeError: sys is undefined when using Chakra UI with Vite
- VS2010 error: Unable to start debugging on the web server
- The member [class] has no supported translation to SQL
- How to set the Content-Type header for an HttpClient request?
- Blazor ProtectedSessionStorage timeout
- Blank page when I run or debug MVC application in local machine
- How to force Visual Studio to re-create the SSL certificate for a .NET Core Web Application running Kestrel?
- <%$, <%@, <%=, <%# ... what's the deal?
- Asp.net mask credit card number in text box as being entered followed by validation and processing of credit card number
- Open a new window using MapAreaAttributes in microsoft chart control
- How to close HTTP connection in asp.net?
- How to combine asynchrony with locking?
- Losing Session State with ASP.NET/SQL Server
- Add/Remove Class Based on Scroll Position in Blazor
- Make Web.config transformations work locally
- OnItemCommand not firing from nested DataList
- Publish ASP.NET app without certain folders
- Cannot implicitly convert type 'object' to 'System.Data.SqlClient.SqlParameter'. An explicit conversion exists (are you missing a cast?)
- Access to the path 'c:\inetpub\wwwroot\myapp\App_Data' is denied
- CheckBox list using ASP.NET MVC 5
- Preflight request from React Client with ASP.NET Core backend blocked by CORS policy
- window.dnnLoadScriptsInAjaxMode undefined in page administration module
- Get SignalR Core received message size
- Pause after Alert
- How can I get the baseurl of site?
- The anti-forgery cookie token and form field token do not match in MVC 4
- Incorrect format problem when converting a BMP image file from Base-64 to binary