We've got an application hosted on a VM in Azure, which is behind a WAF that we've got a lot of trouble with for some users.
Some users are plagued by the HTTP Error 400. The size of the request headers is too long. The application is protected by Azure AD login.
The full repsonse to the browser is:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
{
"data": "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n<HTML><HEAD><TITLE>Bad Request</TITLE>\r\n<META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD>\r\n<BODY><h2>Bad Request - Request Too Long</h2>\r\n<hr><p>HTTP Error 400. The size of the request headers is too long.</p>\r\n</BODY></HTML>\r\n",
"status": 400,
"config": {
"method": "GET",
"transformRequest": [
null
],
"transformResponse": [
null
],
"url": "api/datacontext/workbooks/876dac86e00e42878d9e239a8efb00a3/session/start",
"headers": {
"Accept": "application/json, text/plain, */*",
"x-invision-app-language": "EN",
"Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyIsImtpZCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyJ9.eyJhdWQiOiI2MGMyZDcwNi02M2JmLTRhYzItOGQyZi01M2QzMzM1ZTAwMDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80M2I0MWVlMy01MDllLTRmNDYtOTFmZi1hYWMxNGY5MjAwYTAvIiwiaWF0IjoxNTY5NTg0NTIyLCJuYmYiOjE1Njk1ODQ1MjIsImV4cCI6MTU2OTU4ODQyMiwiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhNQUFBQWtlMDNycUJycmJoZlNBdDB4SnY4bkF4RzA1V1VPdnd4SjZDUmdVeFdkeGc9IiwiYW1yIjpbInB3ZCJdLCJhcHBpZCI6IjYwYzJkNzA2LTYzYmYtNGFjMi04ZDJmLTUzZDMzMzVlMDAwMiIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiUmV0dmVkdCIsImdpdmVuX25hbWUiOiJFcmlrIiwiaXBhZGRyIjoiMTk0LjI0OC4xNDcuMTMiLCJuYW1lIjoiRXJpayBSZXR2ZWR0Iiwib2lkIjoiMGJjMDUyMDgtZDQ1YS00MTk4LTk3MzItMzZiN2U2MDJiYmYwIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTEzNDI3OTMzNzAtNDI1NDg1MTE1LTU5NDUyMDk5NS0xODU0Iiwic2NwIjoiRGlyZWN0b3J5LlJlYWQuQWxsIFVzZXIuUmVhZCBVc2VyLlJlYWQuQWxsIFVzZXIuUmVhZEJhc2ljLkFsbCIsInN1YiI6ImJ0M3pIOFNQcjRtMWFqenZJa2ZiMjBnVUZkR3BxblpEYmg3QWJ4M3B5N28iLCJ0aWQiOiI0M2I0MWVlMy01MDllLTRmNDYtOTFmZi1hYWMxNGY5MjAwYTAiLCJ1bmlxdWVfbmFtZSI6ImVyaWsucmV0dmVkdEBjaG9pY2Uubm8iLCJ1cG4iOiJlcmlrLnJldHZlZHRAY2hvaWNlLm5vIiwidXRpIjoiUERYS0FfSl9CRWlmc0tDLVJJbHhBQSIsInZlciI6IjEuMCJ9.aghrUBArpEvvvXBs2MBPTCL2nUPZ3aMCJ-1r3EqB5a9UaqaX7Ego5mSw1gb_68y3KhsGfO7kAv49uCB7cy80kEXV4ES4htLefQmmp-Bx-1Et_w6vstoki9ojWuKP97NsaGlQBjPYCZcbCRptBIZJIr_H71dMuFhAPWYEImcGtOrF2RNQA4AFvlx6WL2dIONHVPar3sjgLWEvFxhPFZsml3Ht3M1OtLj5drAJrkUjgxfV3-00bqCwYCm5_t_BAtxWsd-LZEpjDLpN7nDBFIJF14oFrPB7yXCBM_q-Y4FCCwGE14NoRcUrJNJPYMt5b0LKHEAbIopdq_zmFQ6XnUmcjg"
},
"withCredentials": true
},
"statusText": "Bad Request"
}
The error show up on different paths in the application and seemingly at random. It might work fine for a while then the user gets the error message again. We've narrowed the problem down to beeing the WAF as when we've changed the traffic to flow directly to the IIS webserver the users are seeing none of theese errors. It seems that there's nowhere to change the size limit for the request header that I can find in the WAF. Anyone got any idea as for where to start looking for a solution?
The Azure WAF is configured as follows:
Configure
Tier: WAF
Firewall Status: Enabled
Firewall mode: Detection
There are no exclusions configured.
Global Parameters:
Inspect request body: Off
Rules
Rule set: OWASP 3.0
Advanced rule configuration: Disabled