infrastructure-notes/Portal WAF Notes.md

Portal WAF Notes

Reference OWASP whitepaper AWS WAF

portal-generic-restrict-sizes DONE Filters in portal-generic-size-restrictions The length of the Body is greater than 4096. The length of the Query string is greater than 1024. The length of the Header 'cookie' is greater than 4093. The length of the URI is greater than 512. /complete/saml

TEST failing is it The length of the Header 'cookie' is greater than 4093. ? nope is it The length of the URI is greater than 512. ? nope The length of the Query string is greater than 1024. ? nope The length of the Body is greater than 4096. ? YES!

trying The length of the Body is greater than 8000. Nope The length of the Body is greater than 12000. YES! The length of the Body is greater than 11168. sometimes! The length of the Body is greater than 12288. YES!

try to exclude the saml URI* URI starts with: "/complete/saml" after decoding as URL. TODO

Add URL filter for the rule portal-generic-restrict-sizes NOT complete/saml URI starts with: "/complete/saml" after decoding as URL.

portal-generic-match-admin-company-url portal-generic-match-api-url URI starts with: "/api/issue/" after decoding as URL. /api/issue/

portal-generic-enforce-csrf Set Cookie and Cookie difference The length of the Header 'cookie' is equal to 118. HTTP method matches exactly to: "post" after converting to lowercase. /complete/saml

TEST

TO VIEW THE COOKIE IN CHROME Dev tools > Application > Cookies > portal cookie > csrftoken Size restrctions are different for POST and GET methods!! test is using set-cookie Csrftoken cookie is size 172 csrftoken=0aHJ5IjG7jegZikOds5IFWRya2k60UuN7qvyqAXsJ4W2DkwKdr1e8oguzwywmgS3; expires=Wed, 03 Feb 2021 16:28:19 GMT; HttpOnly; Max-Age=31449600; Path=/; SameSite=Lax; Secure csrftoken=bEGgb6Z8ggr4q4Urxw4a9J7JEHWhwTAecBWpXYlxo82FEpZlpLYTnHnej98ff5ex; expires=Mon, 01 Feb 2021 23:18:07 GMT; HttpOnly; Max-Age=31449600; Path=/; SameSite=Lax; Secure sessionid=9b3azu262faw7n16e94zwiwijwsyycf5; HttpOnly; Path=/; SameSite=Lax; Secure sessionid=29b3rlsvbbijp64jcnrzn78ctzqvlm8d; HttpOnly; Path=/; SameSite=Lax; Secure Cookie header does NOT exist

see if we can use the equal not less than can we use an OR option?

PROD prod using cookie Cookie header does exist

portal-generic-detect-admin-access

TEST have whole page locked down to no need for difference in test/prod. the 0.0.0.0/0 should give access.

"12.245.107.250/32",   # DPS Office Legato
"12.204.167.162/32",   # DPS Office San Antonio
"54.86.98.62/32",      # DPS AWS User VPN
"75.138.227.80/32",    # Duane Waddle
"24.11.231.98/32",     # George Starcher
"99.151.37.185/32",    # Wesley Leonard
"70.106.200.157/32",   # John Reuther
"108.243.20.48/32",    # Ryan Plas
"73.10.53.113/32",     # Rick Page Home
"50.21.207.50/32",     # Brad Poulton
"70.160.60.248/32",    # Brandon Naughton 
"173.71.212.4/32",     # Ryan Howard

PROD have admin page locked down to whitelisted IPs 73.10.53.113/32 99.151.37.185/32 170.248.173.247/32 170.248.173.245/32

TEST TEST WAF rule should be 0.0.0.0 for ADMIN access; SG will provide protection*

10.* only for /admin

cidr_blocks = ["${lookup(local.workspace-default-portal-cidrs,terraform.workspace,"")}"]  <-SG No changes needed

admin_remote_ipset <- WAF changes needed test = 0.0.0.0 PROD = these IPs 73.10.53.113/32 99.151.37.185/32 170.248.173.247/32 170.248.173.245/32