bcaudan
commented
2 years ago Hello @ffissore,
In order to better understand the issue, could you share the explicit complains?
Closed ffissore closed 2 years ago
bcaudan
commented
2 years ago Hello @ffissore,
In order to better understand the issue, could you share the explicit complains?
ffissore
commented
2 years ago | 960010 | Request content type is not allowed by policy | OWASP HTTP Policy | Log |
| 950109 | Multiple URL Encoding Detected | OWASP Protocol Violations | Log |
| 960024 | Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters | OWASP Generic Attacks | Log |
| 950120 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link | OWASP Generic Attacks | Log |
| 981257 | Detects MySQL comment-/space-obfuscated injections and backtick termination | OWASP SQL Injection Attacks | Log |
| 981245 | Detects basic SQL authentication bypass attempts 2/3 | OWASP SQL Injection Attacks | Log |
| 981246 | Detects basic SQL authentication bypass attempts 3/3 | OWASP SQL Injection Attacks | Log |
| 981243 | Detects classic SQL injection probings 2/2 | OWASP SQL Injection Attacks | Log |
| 973333 | IE XSS Filters - Attack Detected | OWASP XSS Attacks | Log |
bcaudan
commented
2 years ago OK, it seems that there are various things detected by cloudfare WAF on your endpoint. I won't be able to help with this level of information and I don't think we will modify our current approach unless a specific issue is identified.
In order to move forward, I would suggest you to go over each violation, identify the underlying issue and if it is from the way the SDK send the request to the proxy, open a dedicated issue about it.
Feel free to go though our support if you need more help on this, it could be easier to share more details about your setup.
bcaudan
commented
2 years ago Feel free to reopen if needed.
bcaudan
commented
2 years ago This is out of scope for this issue, but please, pretty please, consider packing the proxied request in a different way, to avoid hitting Cloudflare WAF as reported in https://github.com/DataDog/browser-sdk/issues/1344: alternatively, allow devs to inject a custom mechanism for sending requests
@ffissore moving the discussion here then.
as mentioned previously:
I don't think we will modify our current approach unless a specific issue is identified.
Could you give us more details on the exact issue related to ddforward?
ffissore
commented
2 years ago I still need to gather the exact details: by the looks of it, encoding a URL and passing it as query string param is a smell for cloudflare In particular rules
Multiple URL Encoding Detected https://owasp.org/www-community/Double_EncodingPossible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusionseem to be triggered by an encoded URL in the query string, which is the mechanism used for proxying requests
In order to bypass adblockers, we set up an endpoint that proxies RUM calls. However, cloudflare is blocking most of them and complains about multiple OWASP violations. They all seem related to the long, encoded URL in param
ddforwardI was wondering if you can make it easier for us to proxy these calls: one idea is to make the
ddforwardparam part of the POST body, which will result in a clean URL