JSON Requests Returning "for(;;);" Prefix Causing WAF Issues

Hello forum members,

I’m facing a critical issue with my JSON requests. They all return a “for(;;);” prefix, leading to problems with our Web Application Firewall (WAF) due to JSON misformatting.

This situation is impacting our security measures, and we urgently need a solution. Has anyone encountered a similar problem and found a way to resolve it? Your insights would be greatly appreciated.

Best regards,

It’s impossible to change, you have to customize your WAF.

The WAF follows the OWASP standard, I’m having difficulty explaining why a request that has content-type application/json returns a code in the middle. Is there no alternative?

We also have Apache with Modsecurity in Block Mode and OWASP ruleset in use and there is no problem with it.

There is no alternative, it’s a fundamental part of the client server communication of flow and I personally don’t think that’s going to quickly change, especially since you are the first person asking for it as far as I know

Hi @good-vole can you share a response?
I am little confused for you question. As client server communicate using rpc

https://github.com/vaadin/flow/blob/402ea7a80d16fb35f5499c4760d7ff305b3127ba/flow-client/src/main/java/com/vaadin/client/communication/MessageHandler.java#L59

I believe as @quirky-zebra mentioned before it’s server misconfiguration

@charming-frog… Apologies for the delay

for(";;);"[
   {
      "changes":{
         
      },
      "resources":{
         
      },
      "locales":{
         
      },
      "meta":{
         "appError":{
            "caption":"Cookies disabled",
            "url":null,
            "message":"This application requires cookies to function. Please enable cookies in your browser and click here or press ESC to try again.",
            "details":null,
            "querySelector":null
         }
      },
      "syncId":-1
   }
]

This a example of returning for server with json content-type in url with format ?v-r=uidl&v-guild=X (X → any number) (Issue url: https://github.com/vaadin/flow/issues/17728)

This a error apoitament in WAF. The WAF is a F5 (owner of nginx pro).
vaadin_waf_error.png

Hi @limitless-cat , this is not a security threat. it’s a “malformed json”.

which is not really a malformed but part of how Vaadin is built.

check the following https://my.f5.com/manage/s/article/K90450301 , and create a role for F5

@charming-frog … I’m understand that this is how the vaadin is build, but this not change the fact that is a vector for “json parse attack”
Add a exception no WAF do not resolve this problem and conform a issue opened in github, this is no longer necessary taking into account the current operation of vaadin.

Well, I think bigger and smarter than me @quintessential-ibex @original-uguisu should answer that.

vector for “json parse attack”
This is true when we talking about open REST API:s, Vaadin is not like that. It is a closed environment. 3rd party cannot put data there, or connect to that Vaadin server etc.

You are totally right, it’s mainly attack unsecured nodejs or php scripts (versions 7.1 and less), but I was waiting for some one official then me to speak first .
I would also to point two things: 1. If It this was a security hole , Spring boot security was intercepting this first.
2. You are running: Nginx > waf > proxy > spring boot security > Vaadin… F5 and spring security has many clashes .

  1. F5 was designed mostly for websites and other CMS like platforms. (ngnix the same)
  1. A solution for you is to change perspective: it’s ok your waf pointed there is a problem because it does not understand what is Vaadin. Now you know what Vaadin is, then tell it it’s ok