Azure WAF & OData: Configuration Guide

TL;DR

Configuring Azure Web Application Firewall (WAF) to properly handle OData requests requires understanding how OData uses HTTP methods and URL patterns. This guide shows you how to create custom rules in WAF to allow legitimate OData traffic while blocking malicious attempts.

Prerequisites

• An existing Azure Web Application Firewall (WAF).
• Access to the Azure portal.
• Basic understanding of your OData endpoint’s URL structure and HTTP methods used.

Steps

1. Identify OData Request Patterns: Before creating rules, understand how your application uses OData. Common patterns include:
   • Base URL for the OData service (e.g., https://your-odata-service.com/odata).
   • Common entity sets (e.g., /Products, /Customers).
   • HTTP methods: GET, POST, PUT, PATCH, DELETE.
   • OData query options (e.g., $filter, $select, $orderby).
2. Access WAF Custom Rules: In the Azure portal, navigate to your WAF resource. Under ‘Settings’, select ‘Custom rules’. Click ‘+ Add custom rule’.
3. Create a Rule for Allowed OData Methods: Create a rule that allows common OData HTTP methods.
   • Name: AllowODataMethods (or similar).
   • Priority: Assign a priority (lower numbers are evaluated first). For example, 100.
   • Rule type: Match Rule.
   • Match conditions: Add the following condition:
     • Variable name: RequestMethod
     • Operator: Contains
     • Value: GET,POST,PUT,PATCH,DELETE (case-insensitive).
   • Action: Allow.
4. Create a Rule for Allowed OData Paths: Create a rule that allows requests to your OData endpoint paths.
   • Name: AllowODataPaths (or similar).
   • Priority: Assign a priority. For example, 110.
   • Rule type: Match Rule.
   • Match conditions: Add the following condition:
     • Variable name: RequestUri
     • Operator: Contains
     • Value: /odata (or your base OData path). You may need multiple conditions for different entity sets.
   • Action: Allow.
5. Create a Rule to Block Potentially Malicious OData Queries (Example): OData query options can be abused. This example blocks requests with excessively long filter clauses.
   • Name: BlockLongODataFilter (or similar).
   • Priority: Assign a priority. For example, 200.
   • Rule type: Match Rule.
   • Match conditions: Add the following condition:
     • Variable name: RequestUriQueryString
     • Operator: Contains
     • Value: $filter= (or your OData query option prefix).
   • Action: Block.
6. Test Your Rules: Thoroughly test the rules with both valid and invalid OData requests.
   • Use tools like Postman or curl to send test requests.
   • Monitor WAF logs for blocked/allowed traffic.
   • Adjust rule conditions as needed based on your testing results.
7. Review and Refine: Regularly review the WAF logs and refine the custom rules to ensure they are effective and don’t block legitimate traffic.

Important Considerations

• False Positives: Be careful when blocking based on query parameters, as it can lead to false positives.
• URL Encoding: Ensure your rules account for URL encoding of OData query options.
• Application-Specific Logic: Consider adding custom rules that reflect the specific logic and constraints of your OData application.