Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ATO:195 Amend WAF query param limit #1217

Merged
merged 1 commit into from
Nov 17, 2023
Merged

ATO:195 Amend WAF query param limit #1217

merged 1 commit into from
Nov 17, 2023

Conversation

ethanmills
Copy link
Member

@ethanmills ethanmills commented Nov 13, 2023
edited
Loading

What?

Amend WAF query param limit

Why?

The authorize request from orchestration exceeds the limit imposed by this WAF rule. Maintain for all other endpoints, but extend to 4096 for the authorize endpoint.

Related PRs

govuk-one-login/authentication-api#3563

@ethanmills ethanmills requested review from a team as code owners November 13, 2023 16:28
@ethanmills ethanmills mentioned this pull request Nov 13, 2023
Merged
@ethanmills ethanmills force-pushed the ATO-195/remove-query-param-limit branch from 7219b61 to 212c2d6 Compare November 13, 2023 17:34
CarlyG55
CarlyG55 previously approved these changes Nov 14, 2023
View reviewed changes
@sebibo
Copy link

sebibo commented Nov 14, 2023

There are two main issues with this -

  1. unlimited url & query parameters will allow an attacker to perform a denial of service attack by passing through very large URLs that are no longer dropped by the WAF, consuming all the resources -
    https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/
  2. Additional parameter length will allow for additional information to potentially be leaked to an attacker https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

@sebibo
Copy link

sebibo commented Nov 15, 2023

Primary concern is the increased likelihood of a denial of service impact of the proposed change - global changes to the WAF for accounts would affect all the APIs not just the specific API which has the issue.

From a security perspective the recommendation would one of the following presented in preferred order:

  1. reduce the query size to be under 2000 characters
  2. create a specific rule for the single API call affected
  3. increase the rate limit for all API calls - but by the smallest amount possible

@ethanmills ethanmills force-pushed the ATO-195/remove-query-param-limit branch from 212c2d6 to 31faf7d Compare November 15, 2023 14:43
@ethanmills ethanmills requested a review from CarlyG55 November 15, 2023 17:00
@ethanmills
ATO-195: Amend WAF query param limit
9f84b79 
The authorize request from orchestration exceeds the limit imposed by this WAF rule. Maintain for all other endpoints, but extend to 4096 for the authorize endpoint.
@ethanmills ethanmills force-pushed the ATO-195/remove-query-param-limit branch from 31faf7d to 9f84b79 Compare November 16, 2023 10:43
@ethanmills ethanmills changed the title ATO-195: Remove query param limit from WAF ATO:195 Amend WAF query param limit Nov 16, 2023
billrdunn
billrdunn approved these changes Nov 16, 2023
View reviewed changes
Copy link
Contributor

@billrdunn billrdunn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ethanmills ethanmills merged commit e07bc89 into main Nov 17, 2023
4 checks passed
@ethanmills ethanmills deleted the ATO-195/remove-query-param-limit branch November 17, 2023 10:04
@CarlyG55 CarlyG55 mentioned this pull request Dec 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@billrdunn billrdunn billrdunn approved these changes

@CarlyG55 CarlyG55 Awaiting requested review from CarlyG55

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ethanmills @sebibo @billrdunn @CarlyG55