tag: Appsec

TrustedSec discovered that Azure Front Door WAF’s IP restrictions can be bypassed when using the default RemoteAddr setting. When the bypass works, ALL WAF rules get disabled - not just IP filtering. Front Door WAF has a specific fingerprint: 403 responses include both x-azure-ref and x-cache headers. Application Gateway WAF doesn’t include these. I’ll definitely forget these details in six months. That’s why I wrote this BCheck: metadata: language: v2-beta name: "Azure Front Door WAF Detection" description: "Detects Azure Front Door WAF based on 403 response headers" author: "fz42" tags: "azure", "waf", "bypass" given response then if {latest.response.status_code} is "403" and {latest.response.headers} matches "(?i)x-azure-ref" and {latest.response.headers} matches "(?i)x-cache" then report issue: severity: info confidence: firm detail: `Azure Front Door WAF detected. If using RemoteAddr (default) for IP restrictions, try X-Forwarded-For bypass: - 127.0.0.1 - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - ... If bypass works, ALL WAF protections are disabled. References: https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass` remediation: "Use SocketAddr instead of RemoteAddr or make a compound condition including both SocketAddr and RemoteAddr in WAF configuration." end if Now, I’ll have a nice reminder in Burp Suite ensuring I don’t miss this in the future. ...