My request got 403 when access to url like this format
https://example.com/Test.aspx?param=https%3A%2F%2Fwww.test.com%2Fen-us%3F
I have read the document but I not sure which rule prevented my request.
Anyone can show me:
How do find exactly rule prevent my request
Report prevented requests (I have looked at the log but nothing in there)
If you have enabled WAF monitoring for application gateway or for Azure front door, you should see the ruleId in the Firewall log. Please note that the logs are only saved hourly. You could get more details from this blog.
{
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
"operationName": "ApplicationGatewayFirewall",
"time": "2017-03-20T15:52:09.1494499Z",
"category": "ApplicationGatewayFirewallLog",
"properties": {
"instanceId": "ApplicationGatewayRole_IN_0",
"clientIp": "104.210.252.3",
"clientPort": "4835",
"requestUri": "/?a=%3Cscript%3Ealert(%22Hello%22);%3C/script%3E",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0",
"ruleId": "941320",
"message": "Possible XSS Attack Detected - HTML Tag Handler",
"action": "Blocked",
"site": "Global",
"details": {
"message": "Warning. Pattern match \"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ...\" at ARGS:a.",
"data": "Matched Data: <script> found within ARGS:a: <script>alert(\\x22hello\\x22);</script>",
"file": "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
"line": "865"
}
"hostname": "40.90.218.100",
"transactionId": "AYAcUqAcAcAcAcAcASAcAcAc"
}
}
Related
I am trying to figure out how to obtain an "item-id" for a file in a sharepoint site for microsoft graph API.
Microsoft documentation: https://learn.microsoft.com/en-us/graph/api/driveitem-get?view=graph-rest-1.0&tabs=http
Here is what I tried for far:
Tried using https://developer.microsoft.com/en-us/graph/graph-explorer to guess the api link that will let me download the file I want.
I first tried to get the sharepointsite like so:
https://graph.microsoft.com/v1.0/sites/omidtechnfr.sharepoint.com:/sites/delploy
That worked:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites/$entity",
"createdDateTime": "2021-07-15T21:02:02.78Z",
"description": "delploy",
"id": "omidtechnfr.sharepoint.com,5e03397e-03b0-4d92-9658-f9163f0131b3,1d9f21da-4d74-45db-b5d4-e4a7f7f278a1",
"lastModifiedDateTime": "2021-07-17T02:16:39Z",
"name": "delploy",
"webUrl": "https://omidtechnfr.sharepoint.com/sites/delploy",
"displayName": "delploy",
"root": {},
"siteCollection": {
"hostname": "omidtechnfr.sharepoint.com"
}
}
So then I tried using what I ASSUME is the item-id for the SharePoint site delploy to try and get more information out of the site so I can try to find the item-id for the file I want to download:
https://graph.microsoft.com/v1.0/sites/5e03397e-03b0-4d92-9658-f9163f0131b3/drive/
And I got back some result but it doesn't so the item-id for me to do anything with it:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives/$entity",
"createdDateTime": "2021-07-11T05:16:50Z",
"description": "",
"id": "b!fjkDXrADkk2WWPkWPwExs9ohnx10TdtFtdTkp_fyeKF_K1_Z49FFSbzXVFRA5GKa",
"lastModifiedDateTime": "2021-07-16T18:32:35Z",
"name": "Documents",
"webUrl": "https://omidtechnfr.sharepoint.com/sites/delploy/Shared%20Documents",
"driveType": "documentLibrary",
"createdBy": {
"user": {
"displayName": "System Account"
}
}
At this point I started to get desperate and a little angry. So I tried to just download the file from sharepoint and assume that the characters at the end of the download link was the item-id but that didn't work either:
download link:
https://omidtechnfr.sharepoint.com/sites/delploy/_layouts/15/download.aspx?UniqueId=25e2fd4f%2Deb32%2D43ac%2D9141%2Dfa47a610a27c
Used https://www.urldecoder.org/ to decode what I am assuming is the item-id for the file I want to download
25e2fd4f-eb32-43ac-9141-fa47a610a27c
Then tried to desperately tack this on to the Microsoft graph api to see what happens:
https://graph.microsoft.com/v1.0/sites/5e03397e-03b0-4d92-9658-f9163f0131b3/drive/items/25e2fd4f-eb32-43ac-9141-fa47a610a27c
and it failed:
{
"error": {
"code": "itemNotFound",
"message": "The resource could not be found.",
"innerError": {
"date": "2021-07-17T14:13:51",
"request-id": "985e2893-5343-47ac-a93c-6629a00c4eb3",
"client-request-id": "73a3b6d0-f1ce-bb51-b126-43f0957d15e3"
}
}
}
You could get the file by the path: https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root:/{item-path}
For example: https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root:/test.docx
If the file is in a folder, it would be like this: https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root:/folder1/test.docx
I used the search site id endpoint GET /sites/{site-id}/drive/root/search(q='{search-text}')
Documentation here.
I have created a webhook that is using the even extraction.updated that should trigger when a job is in progress. I want to retrieve multiple calls on the progress of the translation so that I can show it in my progress bar. Unfortunately I only retrieve a callback when the job translation is finished. When I create the job I set the misc.workflow parameter and same goes for the hook. Am I missing some parameters when creating a webhook or posting a job?
I was following this tutorial: https://forge.autodesk.com/en/docs/webhooks/v1/tutorials/create-a-hook-model-derivative/
The job payload takes the input which is my urn, output which is the filetype(svf2) and views(2d,3d), and misc which is the workflow(testworkflowname)
Callback result:
{{
"version": "1.0",
"resourceUrn": "<my-resourceUrn>",
"hook": {
"hookId": "<my-hookId>",
"tenant": "testworkflowname",
"callbackUrl": "<my-callbackUrl>",
"createdBy": "<my-createdBy>",
"event": "extraction.updated",
"createdDate": "<my-createdDate>",
"lastUpdatedDate": "<my-lastUpdatedDate>",
"system": "derivative",
"creatorType": "Application",
"status": "active",
"scope": {
"workflow": "testworkflowname"
},
"hookAttribute": {
"progress": "test"
},
"autoReactivateHook": false,
"urn": "<my-urn>"
},
"payload": {
"TimeStamp": <my-timestamp>,
"Env": "production",
"URN": "<my-urn>",
"EventType": "UPDATED",
"Payload": {
"status": "success",
"bubble": {
"guid":"<my-guid>",
"owner": "<my-owner>",
"hasThumbnail": "true",
"startedAt": "my-startedAt>",
"type": "design",
"urn":"<my-urn>",
"success": "100%",
"progress": "complete",
"region": "US",
"status": "success",
"children": []
},
"scope": "<my-scope>",
"registerKey": []
},
"WorkflowAttributes": null
}
}}
You've got your webhooks setup correctly. I'm afraid this is a limitation on the Model Derivative service side. The service can translate over 60 different file formats today, and as you can imagine, different formats must be converted using different libraries. And while some of the converters support progress reporting, others may not, so being able to get notified of translation progress really depends on the file format you're processing.
How to get the Microsoft SharePoint SiteID using Microsoft Graph API Explorer.
Initially i tried with below API i able to get the Site ID
https://graph.microsoft.com/v1.0/sites/tenantName.sharepoint.com:/sites/TestSite:/drives?select=name,id
Sharepoint URL:
https://tenantName.sharepoint.com/sites/TestSite
I output i got is:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives",
"value": [
{
"id": "b!l17-JY9YT67Qp-2TBvsUupBLMUF2SrJHp5VylCDZThT7HpCdF-7uQ6NTp6t-MbR5",
"name": "Documents"
}
]
}
But, when i try with Communication Site
Whose SharePoint URL is:
https://tenantName.sharepoint.com/SitePages/DevHome.aspx
Graph Explorer API
https://graph.microsoft.com/v1.0/sites/tenantName.sharepoint.com:/SitePages/DevHome:/drives?select=name,id
I am getting below error:
{
"error": {
"code": "itemNotFound",
"message": "The provided path does not exist, or does not represent a site",
"innerError": {
"request-id": "8329dfca-c63b-4af5-80b8-75f26be9e2e8",
"date": "2019-10-31T13:18:33"
}
}
}
A sitePage is a fundamentally different resource than a site.
A site is a container that owns any number of sub-sites, apps, lists, document libraries, etc.
A sitePage is just another resource owned by a site.
The sitePage resource is currently only available in the Microsoft Graph Beta version.
So the query for /SitePages/DevHome.aspx would be:
/beta/sites/root/pages/{pageId}
If you don't yet know the correct id for the page, you can filter the SitePage collection based on the page's name:
/beta/sites/root/pages?$filter=name eq 'DevHome.aspx'
This will return a collection with a single entity (the DevHome.aspx page):
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#sites('root')/pages",
"value": [
{
"eTag": "",
"id": "{id}",
"lastModifiedDateTime": "2014-07-10T05:47:29Z",
"name": "DevHome.aspx",
"webUrl": "SitePages/DevHome.aspx",
"createdBy": {
"user": {
"displayName": "System Account"
}
},
"lastModifiedBy": {
"user": {
"displayName": "System Account"
}
},
"parentReference": {
"siteId": "{id}"
},
"contentType": {
"id": "0x0101080062C83F3CFED6744A882F729480DE6C17",
"name": "Wiki Page"
},
"webParts": [],
"publishingState": {
"level": "published",
"versionId": "1.0"
}
}
]
}
I should also point out that you're misinterpreting the result of your first query. When you request /v1.0/sites/{tenant}:/{path}:/drives?select=name,id, you are not getting the IDs for each Site, you're getting the IDs for each Drive within that Site. You can find the objects contained within a site in the Relationships section of the Site Resource documentation
Your Graph API call is incorrect.
Try this one :
https://graph.microsoft.com/v1.0/sites/tenantName.sharepoint.com?select=name,id
Steps Followed:
I created a speech services instance in West US.
I have the right headers(Content-Type and Ocp-Apim-Subscription-Key)
I make a POST request to https://westus.cris.ai/api/speechtotext/v2.0/transcriptions/ with below request payload
{
"recordingsUrl": "https://transcribehm97c1.blob.core.windows.net/audio-files/2019-04-04_Blockchain%20explained%20with%20TruStory%27s%20Preethi%20Kasireddy.mp3?st=2019-05-27T12%3A19%3A27Z&se=2019-12-31T12%3A19%3A00Z&sp=rl&sv=2018-03-28&sr=b&sig=HFBvGl1pmCM95MNU9U3yniMNXrUMT6RmPb36F32cxrY%3D",
"models": [],
"locale": "en-US",
"name": "I dont know why this is not working",
"description": "Someone please send help",
"properties": {
"ProfanityFilterMode": "Masked",
"PunctuationMode": "DictatedAndAutomatic"
}
}
I get a “202 Accepted” response with below headers. This confirms that the request body is valid.
location: https://westus.cris.ai/api/speechtotext/v2.0/transcriptions/69b7abf4-6383-4490-88a9-9fd42a77e470
When I make a GET Request to the above location, I see this
{
"recordingsUrl": "https://transcribehm97c1.blob.core.windows.net/audio-files/2019-04-04_Blockchain explained with TruStory's Preethi Kasireddy.mp3?st=2019-05-27T12:19:27Z&se=2019-12-31T12:19:00Z&sp=rl&sv=2018-03-28&sr=b&sig=HFBvGl1pmCM95MNU9U3yniMNXrUMT6RmPb36F32cxrY%3D",
"resultsUrls": {},
"models": [“I have removed this for brevity”],
"statusMessage": "The recordings URI is invalid.",
"id": "69b7abf4-6383-4490-88a9-9fd42a77e470",
"createdDateTime": "2019-05-27T12:43:39Z",
"lastActionDateTime": "2019-05-27T12:43:50Z",
"status": "Failed",
"locale": "en-US",
"name": "I dont know why this is not working",
"description": "Someone please send help",
"properties": {
"ProfanityFilterMode": "Masked",
"PunctuationMode": "DictatedAndAutomatic"
}
}
The transcriptions fails for some URL's while passing for others for blobs in the same storage although they are all valid URL’s. The SAS URI in the request is valid till end of the
year.
I have re-tried the same request multiple times via code and Postman and it fails.
Link to Swagger Page : https://westus.cris.ai/swagger/ui/index
The issue may be due to the audio file size. Please refer the core features for REST API as the REST support only short Audio.
I have an Azure Application Gateway set up with Path-Based routing to route between two different Backend Pools. I also have Application Insights configured on one of the Pools, which I will come back to in a moment. My path rule is configured like this:
/home/* -> Backend Pool 1
/* -> Backend Pool 2
I have never been able to connect to Backend Pool 1 but, I have been able to successfully connect to Backend Pool 2 at /* and when I was able to do that, going to /home/* would still be sent to Backend Pool 2 which didn't exist there. I tried using the Override Backend Path setting on the HTTP Settings, but then neither route would work and I would receive a 502 error. So naturally, I tried to reverse that setting, but nothing would change.
However, I did notice in the Application Insights for Backend Pool 2 that after removing the Override Backend Path setting, that the server pool was receiving the /* as part of the request and thus, receiving a 400 error because that route doesn't exist and the character is not allowed in the URL (It's worth noting that my web.config file doesn't have request URL character restrictions right now).
I know that this type of routing is possible, given the number of documents from Azure, but I've been dealing with this problem for two weeks and have poured over every scrap of documentation and don't seem to be getting anywhere.
So to clarify, my specific question is:
Given the things I've already tried, am I missing something in my configuration, is something wrong about my configuration?
I'd be more than happy to clarify any points that you feel I've left out.
EDIT: Adding the configuration of the one rule and its path map for context.
[
{
"backendAddressPool": null,
"backendHttpSettings": null,
"etag": "<####>",
"httpListener": {
"id": "<####>",
"resourceGroup": "<####>"
},
"id": "<####>",
"name": "HttpsPaths",
"provisioningState": "Succeeded",
"redirectConfiguration": null,
"resourceGroup": "<####>",
"ruleType": "PathBasedRouting",
"type": null,
"urlPathMap": {
"defaultBackendAddressPool": {
"id": "<####>/backendPool1",
"resourceGroup": "<####>"
},
"defaultBackendHttpSettings": {},
"defaultRedirectConfiguration": null,
"etag": "<####>",
"id": "<####>",
"name": "HttpsPaths",
"pathRules": [
{
"backendAddressPool": {
"id": "<####>/backendPool1"
},
"backendHttpSettings": {
"id": "<####>/OverrideBackendPathSettings (redirects to '/' on the backend)",
"resourceGroup": "<####>"
},
"etag": "<####>",
"id": "<#####>",
"name": "home",
"paths": [
"/home/*"
],
"provisioningState": "Succeeded",
"redirectConfiguration": null,
"resourceGroup": "<####>",
"type": null
},
{
"backendAddressPool": {
"id": "<####>/BackendPool2",
"resourceGroup": "<####>"
},
"backendHttpSettings": {
"id": "<####>/appGatewayBackendHttpSettings (sends request as is)",
"resourceGroup": "<####>"
},
"etag": "<####>",
"id": "<####>/gryphon",
"name": "gryphon",
"paths": [
"/*"
],
"provisioningState": "Succeeded",
"redirectConfiguration": null,
"resourceGroup": "<####>",
"type": null
}
],
"provisioningState": "Succeeded",
"resourceGroup": "<####>",
"type": null
},
"provisioningState": "Succeeded",
"resourceGroup": "<####>",
"type": null
}
]
Rules are evaluated in the order they are specified. It could be that you have a basic rule preceding the path based rule. This would cause the basic rule to intercept all traffic and route to backend pool specified in that rule. If that is not the case, then pasting the rules configuration would probably help.
--
Edit
I looked at your configuration details in our monitoring system. This is because of an incorrect probe configuration. You have /* in probes which is not valid. The probe should point to an existing page which returns a 200 http response code. Also you do not need an path override and can be removed. Once you have probes configured correctly, please ensure that the backend health report is showing all backend servers as healthy. Then your path based rules would work as expected.