The check-header inbound policy does not execute if an operation is not found

Carl Hansen 20 Reputation points
2024-05-28T01:38:29.0733333+00:00

Hi Team,

We have an inbound policy using check-header that checks for a Front Door ID before processing a request. This is standard practice to put APIM behind a WAF.

It is our understanding that all requests MUST contain this header and value before APIM proceeds to do anything else. What we are seeing is that anyone can send a request to APIM's default gateway and get a 404 Resource Not Found response.

This provides attackers with the ability to enumerate over all possible operations until it finds ones that are available, allowing them to get a definition of our APIs.

Is this a bug with APIM? How can we prevent attackers from enumerating over APIM? How can we get APIM to block ALL requests unless the Front Door header and value are present?

Policy:

<inbound>
    <check-header name="X-Azure-FDID" failed-check-httpcode="401" failed-check-error-message="Unauthorized." ignore-case="false">
        <value>front-door-id</value>
    </check-header>
    <cors>
        <allowed-origins>
            <origin>*</origin>
        </allowed-origins>
        <allowed-methods preflight-result-max-age="300">
            <method>GET</method>
            <method>POST</method>
            <method>PUT</method>
            <method>PATCH</method>
        </allowed-methods>
        <allowed-headers>
            <header>*</header>
        </allowed-headers>
        <expose-headers>
            <header>Token-Expired</header>
            <header>Content-Disposition</header>
        </expose-headers>
    </cors>
</inbound>

Request to existing operation without header:

GET https://my-api.azure-api.net/users/all

{ "statusCode": 401, "message": "Unauthorized." }

Request to non-existing operation without header:

GET https://my-api.azure-api.net/some-operation

{ "statusCode": 404, "message": "Resource not found" }
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,939 questions
0 comments
Accepted answer
  1. hossein jalilian 5,400 Reputation points
    2024-05-28T04:18:41.6833333+00:00

    HiCarl Hansen,

    Thanks for posting your question in the Microsoft Q&A forum.

    The check-header policy is intended to verify the presence of a specific header and its value. If the header is missing or the value doesn't match, it returns a specified HTTP status code, such as 401 Unauthorized. However, if the requested operation or resource does not exist in APIM, a 404 Resource Not Found response is returned regardless of the header's presence. This occurs because APIM first checks for the existence of the requested operation before applying any policies or authentication checks.

    To prevent attackers from enumerating over your APIs and operations, you can consider the following approaches:

    • Use a more restrictive IP allow list: Instead of relying solely on the X-Azure-FDID header, you can configure APIM to only accept requests from a specific set of IP addresses or ranges.
    • Use a more secure authentication mechanism: Instead of relying on a simple header check, you can implement a more robust authentication mechanism, such as OAuth 2.0 or API keys.
    • Use a reverse proxy or API gateway: Instead of exposing APIM directly to the internet, you can place it behind a reverse proxy or API gateway, such as Azure Front Door or Azure Application Gateway.
    • Implement rate limiting: You can configure rate limiting policies in APIM to limit the number of requests that can be made to your APIs within a specific time period

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest