Azure WAF in Frontdoor premium: how to Exclude [{"matchVariableName":"Method","matchVariableValue":"GET"}

Owin Gruters - iO 46 Reputation points
2023-06-12T09:20:41.8866667+00:00

Hi,

When creating exclusions in a AFD Premium WAF policy, you have the choice out of 5 different Matchvariables: RequestHeaderNames, RequestCookieNames, QueryStringArgNames, RequestBodyPostArgNames, RequestBodyJsonArgNames (see https://learn.microsoft.com/en-us/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies?pivots=deployment-language-bicep#managedruleexclusion).

Now I have a false positive coming from Azure B2C where the Matchvariablename is "Method" (see attached image). This false positive is coming from this AB2C login request: https://myurl:443/mytenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SIGNUP_SIGNIN&client_id=bb34194f-33b0-4abc-aca7-9b5831bc9f76&response_type=code&redirect_uri=https://myurl/api/authentication/callback&response_mode=query&scope=openid&state=https://myurl/dashboard&code_challenge=iUTAXPsWZ1K9xofkpRACpjMD2hIe12aEIs7AuRFwaUU&code_challenge_method=S256&ui_locales=nl-NL

To which of the 5 possible Matchvariables does this match? i.e. how can I make an exclusion for this?User's image

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
860 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-06-23T17:23:47.88+00:00

    Hello @Owin Gruters - iO ,

    I understand that you are getting a false positive on your Azure Front Door Premium WAF from an Azure B2C login request where the matchVariableName is "Method" and matchVariableValue is "GET" and you would like to know how to create an Exclusion for this blocked request in your WAF policy.

    Looking at the screenshot, it doesn't seem to fit any matchVariableName attributes available in AFD WAF.

    The matchVariableName in your WAF log should come in the below format:

    User's image

    If it doesn't, then it means it you can't create an exclusion for that particular request and should consider either disabling the rule or creating a custom rule to allow that Azure B2C request.

    As mentioned in our document, if your WAF log entry shows a matchVariableName that isn't in the table above, you can't create an exclusion. For example, you can't currently create exclusions for cookie names, header names, POST parameter names, or query parameter names.

    So, I requested you to consider taking one of the following actions:

    • Disable the rules that give false positives.
    • Create a custom rule that explicitly allows those requests. The requests bypass all WAF inspection.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclude-other-request-attributes

    You wanted to know the difference between an unrecognized variable and one that fall in the group of RequestBodyJsonArgNames.

    I provided the below information:

    You can see what request bodies are in the below link:

    https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion#exclusions-for-json-request-bodies

    But the variable you have is actually a GET Method which doesn't include request body, so creating an exclusion with RequestBodyJsonArgNames will not work here.

    The Azure WAF Product Group confirmed that creating any kind of exclusion for Method is not the right approach since it will exclude every http request with any Method. The right approach is to create the custom rule for the correct Azure B2C URI.

    Hence, advised you to either add a custom rule with RequestUri contains Method or QueryString contains Method as the GET Method is present in your Azure AD B2C URL in its query string variable.

    But you decided to deactivate the whole rule as it was giving many other false positives.

    Regarding the WAF logging the Method as just matchvariablename without any recognized parameter:

    I discussed this issue with the Azure Front Door Product Group team, and they were able to reproduce this issue on their end. On further investigation, they found that it is a bug in AFD WAF, which will be fixed within the next few months (approx. ETA: before the end of September).

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.