Azure Web Application Firewall
An Azure service that provides protection for web apps.
327 questions
WAF 2 does not prevent script attack
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 26%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Avinash Davkhar
20
Reputation points
I have integrated a web application firewall (2) with the application gateway in Prevention mode.
However, when I attempt to create a record using FirstName as script tag, the record is successfully created. Ideally, this action should be blocked.
Could you please clarify why this is not functioning as expected?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor2024-09-09T18:03:05.11+00:00 Hi @Avinash Davkhar ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
- Please ensure that the WAF policy is set to prevention mode, as it defaults to detection mode during creation. It is crucial to switch it to prevention mode for it to block malicious requests effectively.
- Please ensure that the WAF configuration and the rule set are properly configured.
- Please verify whether any custom rules are configured in the WAF and ensure that these rules do not override the script attack protection. Kindly let us know if the above helps or you need further assistance on this issue.
-
Avinash Davkhar 20 Reputation points
2024-09-10T08:35:54.6666667+00:00 Hi Sai,
If you have read question, WAF policy is in Prevention mode.
Their are no custom rules configured.
WAF should protect from script attacks, but that not happening.
Thanks
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-10T09:40:02.9966667+00:00 Hi @Avinash Davkhar ,
Thank you for getting back.
Before proceeding, can you please share us the below details so that we can assist you better.
Could you please share the versions of your Application Gateway and WAF?
Additionally, could you specify which OWASP rule you expect to be blocked?
Thanks.
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-11T10:04:51.9633333+00:00 Hi @Avinash Davkhar ,
Greetings of the day!
I would like to follow up with the thread.
Could you please go through the last comment and provide us the required information to drive the thread further.
If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.
-
Avinash Davkhar 20 Reputation points
2024-09-11T14:35:00.2566667+00:00 Hi Sai,
Web application firewall and the application gateway both have version V2.
OWASP version is OWASP 3.2
thanks
-
Avinash Davkhar 20 Reputation points
2024-09-11T14:36:37.17+00:00 Hi Sai,
Web application firewall and the application gateway both have version V2.
OWASP version is OWASP 3.2
thanks
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-12T01:22:35.38+00:00 Hi @Avinash Davkhar ,
Thanks for sharing the information.
WAF have rules to prevent cross scripting attack. You can refer to them here: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32#crs941-32
This is the OWASP implementation for reference:
- Also, please share more details on how you are passing the script tag so that we could get better understanding to guide you further.
- Application Gateway WAF can have both global and per-site policies. Please confirm if there are no other WAF policy associated with this Application gateway.
Kindly let us know if the above helps or you need further assistance on this issue.
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-13T01:41:47.0333333+00:00 Hi @Avinash Davkhar ,
Just checking in to see if you had a chance to see the above comment. Kindly let us know if the above helps or you need further assistance on this issue.
-
Avinash Davkhar 20 Reputation points
2024-09-13T08:28:49.1666667+00:00 thanks for help...but its nor working for me
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-13T18:07:29.68+00:00 Hi @Avinash Davkhar,
Thanks for getting back. I understand that your issue is not resolved yet. But for further guidance, please provide the following details so that we can assist you better.
- Could you please specify the rule number that is expected to be triggered?
- Are you completely certain that your script is not compliant with OWASP rules?
Thanks,
Sai Prasanna Sinde.
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-16T01:47:28.6733333+00:00 Hi @Avinash Davkhar,
Greetings of the day!
I would like to follow up with the thread.
Could you please go through the last comment and provide us the required information to drive the thread further.
If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.
Sign in to comment
Sign in to answer