Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 5089 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[WAF] Bypassing authentication is very easy.. how can I fix this?

FrankBarmentlo

Hey all,

 

I deployed the XG as a home user, and I use it for Web Server Protection for several domains. One of those domains contain random files and images, which I intend to share with various people. To keep the exact content private, I created folders:

i.domain.nl/a/

i.domain.nl/b/

and i.domain.nl/c/

(I replaced the actual domain here)

 

i.domain.nl is a virtual host on one of my webservers, nothing special is configured here.

 

Then I created 3 users,

User A can allow folder A

User B can allow folder B

And the same for user C.

In the WAF I chose for Path-specific routing. Then per folder I turned on authentication.

 

Now, as soon as you open the page, it will show a prompt for username / password.

Whenever I click "Cancel"  3 times, a nice index of the actual folder shows up, which is completely browsable.

 

How can I protect this properly?



This thread was automatically locked due to age.
Parents
  • 0

    Which SFOS version is that?

    Just to be sure: For the paths you configured as site-specific routing in WAF you enabled an authentication policy with client authentication mode "Basic", correct? And you didn't configure any authentication on your actual web server?

    What happens the first time you click "Cancel"? And the second time?

    What's in reverseproxy.log for all 3 clicks on "Cancel"?

Reply
  • 0

    Which SFOS version is that?

    Just to be sure: For the paths you configured as site-specific routing in WAF you enabled an authentication policy with client authentication mode "Basic", correct? And you didn't configure any authentication on your actual web server?

    What happens the first time you click "Cancel"? And the second time?

    What's in reverseproxy.log for all 3 clicks on "Cancel"?

Children
No Data