Web application firewalls can trigger false positives when used with Haventec OIDC Landing Page or Haventec IAM. You may need to configure WAF exclusions when using these applications.
AWS WAF
The Core Rule Set managed rule group in AWS WAF includes the following potential false positives.
GenericRFI_QUERYARGUMENTS
This rule triggers on the redirect_uri
request parameter used by the OIDC Landing Page, and should be disabled.
EC2MetaDataSSRF_QUERYARGUMENTS
This rule can also trigger on the redirect_uri
request parameter when the URI uses localhost
as the domain. Consider disabling this rule in non-production environments, for example to enable testing with a local Haventec IAM instance.
CrossSiteScripting_BODY
A false positive that can be caused by "/" characters in Base64 content. This rule should be disabled for both Haventec IAM and the OIDC Landing Page.
CrossSiteScripting_QUERYARGUMENTS
A false positive when using Haventec IAM with SAML, caused by URIs in the SigAlg parameter.
GenericRFI_BODY
This rule can be triggered by URIs in the request body when configuring identity providers and other resources in Haventec IAM. Disable this rule if administrators access Keycloak through the WAF.
EC2MetaDataSSRF_BODY
This rule can be triggered by URIs in the request body that use localhost
as the domain. Consider disabling this rule in non-production environments when configuring Keycloak with loal endpoints.
Comments
0 comments
Please sign in to leave a comment.