AFS
/
infrastructure-notes


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104
							Reference OWASP whitepaper
https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf


portal-generic-restrict-sizes DONE
Filters in portal-generic-size-restrictions
The length of the Body is greater than 4096.
The length of the Query string is greater than 1024.
The length of the Header 'cookie' is greater than 4093.
The length of the URI is greater than 512.
/complete/saml


TEST
failing
is it The length of the Header 'cookie' is greater than 4093. ? nope
is it The length of the URI is greater than 512. ? nope
The length of the Query string is greater than 1024. ? nope
The length of the Body is greater than 4096. ? YES!

trying
The length of the Body is greater than 8000. Nope
The length of the Body is greater than 12000. YES!
The length of the Body is greater than 11168. sometimes!
The length of the Body is greater than 12288. YES!

***try to exclude the saml URI****
URI starts with: "/complete/saml" after decoding as URL.
TODO

Add URL filter for the rule portal-generic-restrict-sizes NOT complete/saml
URI starts with: "/complete/saml" after decoding as URL.

portal-generic-match-admin-company-url
portal-generic-match-api-url
URI starts with: "/api/issue/" after decoding as URL.
/api/issue/


portal-generic-enforce-csrf 
https://stackoverflow.com/questions/38485028/what-is-the-difference-between-set-cookie-and-cookie
The length of the Header 'cookie' is equal to 118.
HTTP method matches exactly to: "post" after converting to lowercase.
/complete/saml

TEST
test is using set-cookie
Csrftoken cookie is size 172
csrftoken=0aHJ5IjG7jegZikOds5IFWRya2k60UuN7qvyqAXsJ4W2DkwKdr1e8oguzwywmgS3; expires=Wed, 03 Feb 2021 16:28:19 GMT; HttpOnly; Max-Age=31449600; Path=/; SameSite=Lax; Secure
csrftoken=bEGgb6Z8ggr4q4Urxw4a9J7JEHWhwTAecBWpXYlxo82FEpZlpLYTnHnej98ff5ex; expires=Mon, 01 Feb 2021 23:18:07 GMT; HttpOnly; Max-Age=31449600; Path=/; SameSite=Lax; Secure
sessionid=9b3azu262faw7n16e94zwiwijwsyycf5; HttpOnly; Path=/; SameSite=Lax; Secure
sessionid=29b3rlsvbbijp64jcnrzn78ctzqvlm8d; HttpOnly; Path=/; SameSite=Lax; Secure
Cookie header does NOT exist

***see if we can use the equal not less than***
***can we use an OR option?***

PROD
prod using cookie
Cookie header does exist


portal-generic-detect-admin-access

TEST
have whole page locked down to no need for difference in test/prod. the 0.0.0.0/0 should give access. 
    "12.245.107.250/32",   # DPS Office Legato
    "12.204.167.162/32",   # DPS Office San Antonio
    "54.86.98.62/32",      # DPS AWS User VPN
    "75.138.227.80/32",    # Duane Waddle
    "24.11.231.98/32",     # George Starcher
    "99.151.37.185/32",    # Wesley Leonard
    "70.106.200.157/32",   # John Reuther
    "108.243.20.48/32",    # Ryan Plas
    "73.10.53.113/32",     # Rick Page Home
    "50.21.207.50/32",     # Brad Poulton
    "70.160.60.248/32",    # Brandon Naughton 
    "173.71.212.4/32",     # Ryan Howard


PROD
have admin page locked down to whitelisted IPs
73.10.53.113/32
99.151.37.185/32
170.248.173.247/32
170.248.173.245/32

TEST
***TEST WAF rule should be 0.0.0.0 for ADMIN access; SG will provide protection****

10.* only for /admin

    cidr_blocks = ["${lookup(local.workspace-default-portal-cidrs,terraform.workspace,"")}"]  <-SG No changes needed
    
    
admin_remote_ipset <- WAF changes needed test = 0.0.0.0 PROD = these IPs
73.10.53.113/32
99.151.37.185/32
170.248.173.247/32
170.248.173.245/32