asp.net - WAF is blocking ASP.NET website due to Scriptresource.axd

Question

ASP.NET (Framework 3.5, IIS 8.5, windows server 2012R2) with Ajax control toolkit is being blocked by WAF (Web Applications Firewall). Following is the screen shot from WAF

These are signatures from WAF

I tried disabling ajax components at the web page but still getting same problem.

Any suggestions ??

Answer 1

It's referencing an ASP.NET padding attack vector that is rated "HIGH". Depending on your WAF this is probably a prebuilt signature blocking your application and may not be directly related to the Ajax controls.

CVE-2010-3332

There are several routes to take:

1. Determine if you are in fact exposing sensitive IIS error codes during decryption and resolve in code. It's an old CVE so up-to-date ASP.NET will mitigate what it can. The rest is up to the developer.
2. Validate your system is up to date on patches (ASP updates, Windows Updates, whatever updates). The Microsoft vulnerability was fixed in patch MS10-070.
3. If this is in fact a true false positive, you'll need to train the WAF to treat this code and application behavior as acceptable. This is the last resort if you've exhausted code and patching and determined this is not the CVE causing the signature block.

Web application firewalls are very different from traditional firewall's (or NG) in that they need to be tailored to a specific application to work properly. It's a pain but it's needed to properly protect an individual application.

Your WAF should be able to run in a a learning transparent mode to understand acceptable behaviors and create a policy around default application behavior. Once the learning process is complete, you can then turn on an enforcing behavior and alert on errors. Then fix the errors in the WAF or in the application. Once that's complete you can then you can enforce and block on error. How this is accomplished is dependent on the WAF vendor.

Since this is a CVE signature block, you may need to dig deeper into how .Net is processing the URL.

Answer 2

Many hosting companies use Plesk control panel which implements the ModSecurity Web Application Firewall (WAF) by default. While you could completely turn off the Web Application Firewall(WAF) on Plesk, this wouldn't be a great idea because the purpose of WAF is to help protect your website from various attacks. Instead, turn off only the specific Rule IDs that are causing the issue.

In this case, WAF is block .axd files which are necessary for AJAX calls. Thus, you'll need to allow .axd files on your website, namely "Scriptresource.axd" and "WebResource.axd".

1. Identify this specific Rule ID that is being violated by opening the "ModSecurity Logfile" on the Plesk WAF page.

2. Search for the 403 Access Denied message in the logfile and then look for a substring that looks like [id "942440"]. This is the rule ID that is being violated. For ModSecurity 2.9, the 942440 rule is the one that blocks .axd files.

3. Switch off the "Security Rule" that applies to this issue, by typing the ID number in the "Switch off Security Rules" section on the Plesk WAF page. In this example, you would type just the numbers "920440" inside the text box.