WAF exclusion rules alternatives

Aditya Parcha 0 Reputation points
2023-05-01T07:57:19.1+00:00

Hello, Can anyone help me with this.

We enabled WAF rules for my Azure app services and two rules are blocking the below request (920230 - Multiple URL Encoding Detected,

931130 - Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link)

https://qma-engageidentity.vmmcorp.com/Account/HomeRealm?ReturnUrl=/connect/authorize/callback?response_type=code&client_id=AdminId&redirect_uri=https://qma-admin.vmmcorp.com/&scope=openid

931130 - Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link - This could be because of having the Redirect uri from different domain.

920230 - Multiple URL Encoding Detected - This is because of having the double encoded string in the query parameter values.

I have added the exclusion rules and it is working fine as expected. I just want to to understand is this the only option to allow the request processing or is there any way to fix this show stopper issue.

Thanks in advance.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
Azure Web Application Firewall
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
92 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
    2023-05-01T13:26:42.4433333+00:00

    @Aditya Parcha

    Welcome to the Microsoft Q&A forum.

    Based on my understanding from your question above, you have Web Application Firewall set-up and you detected a false positive where your requests were blocked by rules 931130 and 920230. You created exclusion rules to mitigate the false-positive which worked and everything working as expected. Now you want to know if creating the exclusion list is the only way to mitigate the false positive or there are any other options.

    Using exclusion list is actually a recommended way to mitigate false positive in WAF. There are other options available to resolve false positive as mentioned here.

    When selecting an approach to allow legitimate requests through the WAF, try to make this as narrow as you can. For example, it's better to use an exclusion list than disabling a rule entirely.

    Another alternative here in resolving the false positive will be to modify your backend so that WAF will not block the request. I understand this will not be possible in every case.

    You can go through this best practices guide for any additional details.

    PS - The document links I have shared above are for Global WAF (WAF for FrontDoor) if you are using regional WAF (WAF for Application Gateway) you can go through these documents instead.

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21#tuning-of-managed-rule-sets

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices

    Hope this helps! Please le me know if you have any questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.