Overview
The application is published by an Azure app gateway with a WAF. The WAF rules are like the following:
- Microsoft_DefaultRuleSet-1.1-SQLI-942450 (SQL Hex Encoding Identified) – gets triggered by following the pattern “0x”
- Microsoft_DefaultRuleSet-1.1-SQLI-942440 (SQL Comment Sequence Detected) – gets triggered by following the pattern “—"
When Auth0 sends the authorization code back to the application’s callback URL, certain character sequences in the code can trigger the WAF rules (examples above). When this happens, the application callback URL sends a 403 response, and the WAF logs show that rules like the following have been triggered: SQL Hex Encoding Identified, SQL Comment Sequence Detected.
Applies To
- Azure App Gateway
- WAF
- SQL Hex Encoding Identified
- SQL Comment Sequence Detected
Cause
The authorization code sent to the application callback URL can contain character sequences that trigger WAF rules like SQL Hex Encoding Identified and SQL Comment Sequence Detected.
Solution
The authorization code length and entropy are directly related to the security, and we have no plans to make it possible to exclude certain character sequences from the authorization code. The solution is to modify the WAF policies for the involved endpoints.