Azure Web Application Firewall
An Azure service that provides protection for web apps.
302 questions
Request blocked by WAF on false positive
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 69%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHA%3C/text%3E%3C/svg%3E)
Hariharan Ayyappan
1
Reputation point
Hello Team,
I would like to bring it to your attention that there is a false positive on Content Delivery Network WAF policy due to default ruleset 942110.
A request has been blocked by considering as a sql injection, please find below the traces and details from diagnostics log.
category": "WebApplicationFirewallLogs", "operationName": "Microsoft.Cdn/CdnWebApplicationFirewallPolicies/Write", "properties": {"clientIP":"","clientPort":"","socketIP":"","requestUri":"https://host:443/rest/v1/getuser?username=abc%22cal","ruleName":"DefaultRuleSet-1.0-SQLI-942110","policy":"","action":"Block","host":"","trackingReference":"","policyMode":"prevention","details":{"matches":[{"matchVariableName":"QueryParamValue:search","matchVariableValue":"\"cal"}],"msg":"SQL Injection Attack: Common Injection Testing Detected","data":"Matched Data: abc\"cal found within QueryParamValue:username: abc\"cal"}}}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee2022-10-29T00:27:35.273+00:00 @Hariharan Ayyappan ,
Welcome to the Microsoft Q&A forum.To fix this false positive block in Azure CDN WAF policy, you can do a few things to stop this from blocking your traffic:
- Create a Custom Rule based on HTTP parameters to allow the traffic in this particular case. Custom rules are always applied before rules in the Default Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Default Rule Set are processed.
OR
- Disable the Default rule set, just in case if it is not possible to apply a custom rule above. In your case you will have to disable the default ruleset 942110 so that the false positive request is not blocked.
Hope this helps! Please let me know if you have any additional questions here. Thank you!
Sign in to comment