FTABoy
Contributor
Contributor

NSX-ALB WAF is not compatible with Arabic characters

hello everyone, i came with this issue: the WAF of NSX Advanced Load Balancer (Avi Vantage Version: 21.1.2 Build: 9124 - Controller patch version: 2p2)
is not compatible with Arabic Unicode character as input arguments for web applications.
for example if this 'get' query : http://somename.com/index.php?testparam=ذخیره و ادامه
is sent to the application(VS/WAF) , it gets corrupted like this: 0.J1G H '/'EG which it cause false positive alarms (sqli). the corruption is caused by these two function (t:utf8toUnicode,t:urlDecodeUni) which are used in rules/signature... as of my researches and tests , this issue originates from the default configuration of ModSecurity (SecUnicodeMapFile unicode.mapping parameter) which is set to use 20127 (US-ASCII) by default. to fix and workaround that issue we should be able to change it to 1256 (ANSI - Arabic). i should mention that there is "unicode.mapping" file for this purpose and it should be up to date. in conclusion i can't find anyplace in the AVI NSX-ALB web GUI (controller) to set this parameter for waf profile/policy. nor i was able to find the modsecurity config file in the Service Engines shell to modify manually. this issue cause the whole WAF solution to not be compatible with lot of other languages...

any suggestion might be helpful , thanks

--------------------------
Navid Hosseinzadeh
Labels (2)
Tags (2)
4 Replies
FTABoy
Contributor
Contributor

IMG_20211125_134631_280.jpg

IMG_20211125_134628_846.jpg

--------------------------
Navid Hosseinzadeh
0 Kudos
Christian_Avi
VMware Employee
VMware Employee

Hi.

Thanks for reporting this issue. And thank you for all the detailed information.

One ask though. Is this only happening with a specific browser or all browsers? We had seen that this might be triggered by Internet Explorer?

Have a great day.

Christian

Tags (1)
FTABoy
Contributor
Contributor

Hello Christian, Thank you for your attention to this topic/issue.  This is not a browser specific issue, I can reproduce same problem on chrome/Firefox/IE...

Also as it can be seen in the screenshot the user input parameter is sent correctly by the browser (url encoded) and is correctly visible(readable) in LB logs... But when it's get  passed to WAF engine it gets croupted as I described earlier. The input string turns to random character (can be seen in waf logs).

Best Regards

--------------------------
Navid Hosseinzadeh
Christian_Avi
VMware Employee
VMware Employee

Alright. I have asked the team to reproduce and examine why this fails. Not if there is a workaround I will let you know here. In case code changes are needed, then it should appear in the release notes and a notification here. Have a great day!