search

AtlasOfLivingAustralia / ala-bootstrap3

ALA styles with bootstrap 3
2 stars 8 forks source link

Implement WAF application integration JS SDK #34

Open joe-lipson opened 2 months ago

joe-lipson commented 2 months ago

We received user reports and were also able to observe a small number of requests to Biocache that were being presented with a "challenge" response from the WAF were showing a "Human Verification" message in the browser tab title for a short period of time ( usually less than a second ) before returning the page content. In a small subset of these the request would hang at this point and then time out.

After consulting with Amazon on the issue we were advised that the more efficient and preferred method of creating challenge tokens is through the WAF application integration JavaScript SDK.

From Case ID 171928080800016

To answer the last part of your question first - if you used the SDK integration then no, the rule I suggested would not be required. It would make token acquisition a background task, remove the unwanted 'Human verification' window from confusing users, and there would also be no charges for token acquisition via SDK - win/win/win!! SDK usage is the recommended path forward.

Implementing the SDK is a matter of placing the code from the AWS WAF console under "Application Integration" on the Biocache front end. The code is: <script type="text/javascript" src="https://8d350393c988.ap-southeast-2.sdk.awswaf.com/8d350393c988/f4d973d62c60/challenge.js" defer></script>

We have turned off browser challenges on the Biocache WAF until the SDK can be implemented.

This ticket is to investigate implementing this code including configuration allowing different codes for different hubs and environments

adam-collins commented 2 months ago

Adding this to grails-app/views/layouts/* of ala-bootstrap3 will make it available, if configured, for all applications and pages using of any of these layouts.

adam-collins commented 2 months ago

Tested this with bie-test.

joe-lipson commented 2 months ago

This is a note on where to find the code for the WAF SDK integration. The code is specific to each WAF, so all applications or environments that use the same WAF will have the same code. In the AWS console, go to the WAF section, on the left menu select "application integration", then in the intelligent threat tab select the radio button for the WAF your application is using. The JavaScript code will be shown in the text area at the bottom of the page

SDK-integration

nickdos commented 13 hours ago

I tried to find this on the comparison account but there are no Web ACLs listed. Is this the right account for our test systems or are they in the other (main) account?

matthewandrews commented 12 hours ago

Our test systems are mostly still in the prod account. Specifically BIE test is in prod, yep.