WAF related issue

Jagan · 11 November 2024 11:38

Hi,

We have enabled Web Application Firewall (WAF) in our application. While trying to open a document in only office viewer, we are getting 403 forbidden error. When we tried to trace the reason, we have set of SQL injection rules, which restricts of using query parameter strings. Is there any other way to handle this issue.

https://domain .com/web-apps/apps/spreadsheeteditor/main/index.html?_dc=8.0.1-31&lang=en&customer=ONLYOFFICE&frameEditorId=docxEditor&mode=view&isForm=false&parentOrigin=https://localhost:3000&fileType=xlsx

Constantine · 13 November 2024 10:08

Hello @Jagan

First of all, I can see that version 8.0 of Document Server is used. Please note that newer version is available.

As for the WAF: is it configured as transparent bridge or reverse proxy?
In general, we haven’t tested Document Server in such environment. You can try working it around with exception rules.

Jagan · 13 November 2024 10:50

Hi @Constantine

It is configured in reverse proxy, AWS WAF attached to the load balancer. Do you still suggest us to create exception?

If so, suggest us the best way to create a exception rather than using the string “ONLYOFFICE”.

Your suggestion would help us to have a tight security controls.

Option 2 :

Do you have any suggestion to avoid passing the String in the URL? so that it will not be considered as a sql injection.

Thanks

Constantine · 14 November 2024 11:01

I cannot advise any specific exceptions, because as I mentioned we haven’t tested Document Server in such environment.

Since your WAF configured as reverse proxy, you might want to take a look at the recommended configuration for Document Server proxying here:

It might be handy.

Not quite sure if I understand which string you are referring to.