2

I use:

DB: SQL Server
Server: MVC5 / C# / .NET 4.7
Firewall: Cloudflare WAF
Client: HTML, CSS, Javascriptm JQuery.

I use the Cloudflare WAF for my application which accepts HTML elements in the richtext edit field. I use the CKEditor to enable these edit fields. However I am finding that much of the pasted HTML text is triggering the WAF OWASP rules, and in many cases as a false positive.

One can Base-64 encode the string clientside, but this may mask dodgey string from the WAF. For example will still run when decoded back into the browser.

What is a good approach for dealing with this issue? The only other ideas I have had is to

a) Only allow plain text which would be restrictive.
b) Use some form of clientside cleaning utility to sanitize the text before it is uploaded to remove any dodgey code.

I would welcome some best practice advice and any tools that I could investigate further.

Improve this question

1 Answer 1

Reset to default
1

Encoding data before the WAF and decode it before database insertion is actually bypassing the WAF, disabling it would be just the same.

Now, in your case you are dealing with html, you could html_encode it. This would have no impact when dispaying it, but this could mean you would have to decode it before using it in an user input, otherwise you could face nested html_encoding on submit.

As I'm not sure of the best way to deal with this, I'm also looking for best practices on how to allow free user input without falsely triggering the WAF. If anyone finds something, please share it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I don't know the answer to this, but would it help to make a server-side distinction between trusted and untrusted data? You say encoding the user input defeats the purpose of the WAF, but that's only the case for text you already know is untrusted user input. So the WAF still adds value for any other data being passed through, doesn't it? Why not encode the data that you plan to treat as untrusted on the server side and let the WAF block everything else. Then, server-side, you can sanitize the encoded data before passing it downstream.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.