Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,213 questions
920160 - Content-Length HTTP header is not numeric triggered on WAF
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 20%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E_C%3C/text%3E%3C/svg%3E)
_Jaydeep Choudhari.AZ
0
Reputation points
Hello everyone,
I'm encountering an issue with my Azure-hosted application. It's hosted on Azure app service, and I have the OSWAP_3.2 WAF policy enabled on my application gateway.
Recently, I've started receiving a 403 Forbidden error when making an API POST request. I'm using Postman for this request, and I believe the "Content-Length" header is automatically added by Postman.
Here are the details of the error from the firewall logs:
{
"timeStamp": "2023-08-15T05:25:12+00:00",
"resourceId": "/SUBSCRIPTIONS/XXXXX-XXXX-XX-AA76-391CEB2CFDBA/RESOURCEGROUPS/OSS-XXX-USE2-XXXXXSVC-DEV-RG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/AZUSWAXXXXX",
"operationName": "ApplicationGatewayFirewall",
"category": "ApplicationGatewayFirewallLog",
"properties": {
"instanceId": "appgw_0",
"clientIp": "20.187.22.22",
"requestUri": "\/connect\/token",
"ruleSetType": "OWASP CRS",
"ruleSetVersion": "3.2",
"ruleId": "920160",
"ruleGroup": "REQUEST-920-PROTOCOL-ENFORCEMENT",
"message": "Content-Length HTTP header is not numeric.",
"action": "Matched",
"details": {
"message": "Pattern match ^\\d+$ at REQUEST_HEADERS:content-length.",
"data": "{ found within [REQUEST_HEADERS:]}",
"file": "REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line": "130"
},
"hostname": "dev.xyz.com",
"transactionId": "23e63bed8a6e218e2d286ca237216051",
"policyId": "154#_subscriptions_xxxxx-xxx-xxx-aa76-391ceb2cfdba_resourceGroups_OSS-XXX-USE2-XXXX-DEV-RG01_providers_Microsoft.Network_ApplicationGatewayWebApplicationFirewallPolicies_WAF-azuswa1xxxxxx",
"policyScope": "Global",
"policyScopeName": "Global",
"engine": "Azwaf"
}
}
I tried adding an exclusion to stop checking the "Content-Length" header, but that didn't work. Could this be a false positive?
Any advice or suggestions on how to troubleshoot and resolve this issue would be greatly appreciated.
Thank you in advance for your assistance!
Azure Application Gateway
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,930 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 27,471 Reputation points Microsoft Employee Moderator2023-08-16T03:23:29.67+00:00 Welcome to the Microsoft Q&A forum.
- Can you try performing the request using cURL post and see if you are observing the error?
Also, if you can share the screenshots of the exclusion rule set will be helpful. Thank you!
-
_Jaydeep Choudhari.AZ 0 Reputation points
2023-08-16T04:59:08.2266667+00:00 @ChaitanyaNaykodi-MSFT Thank you for your prompt reply.
I tried with the POST request using cURL. When I deactivate rule #920160, the API request goes through successfully. However, upon reactivating the rule, I encounter a 403 Forbidden error.
In terms of the exclusions, I have tested the following options. Please let me know if this information is useful or if you need any further details.
$exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion ` -MatchVariable "RequestHeaderNames" ` -SelectorMatchOperator 'Equals' ` -Selector 'Content-Length' ` -ExclusionManagedRuleSet $exclusionManagedRuleSet $exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion ` -MatchVariable "RequestHeaderValues" ` -SelectorMatchOperator 'Equals' ` -Selector 'Content-Length' ` -ExclusionManagedRuleSet $exclusionManagedRuleSet $exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion ` -MatchVariable "RequestHeaderNames" ` -SelectorMatchOperator 'Contains' ` -Selector 'Content-Length' ` -ExclusionManagedRuleSet $exclusionManagedRuleSet $exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion ` -MatchVariable "RequestHeaderValues" ` -SelectorMatchOperator 'Contains' ` -Selector 'Content-Length' ` -ExclusionManagedRuleSet $exclusionManagedRuleSet -
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
_Jaydeep Choudhari.AZ 0 Reputation points
2023-08-16T06:57:49.46+00:00 I attempted to provide a response to the question you asked, but for some reason, I am unable to see it after clicking on the "add comment" button.
@ChaitanyaNaykodi-MSFT I am not sure if you can see two comments I tried to post earlier but I tried with cURL post & received the same results.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
ChaitanyaNaykodi-MSFT 27,471 Reputation points Microsoft Employee Moderator
2023-08-16T17:41:59.68+00:00 Thank you for getting back. Yes, I am able to see your comments with the exclusion rules. I have reported this issue internally to the forum team.
Thank you for providing the details. I will get back to you shortly.
-
ChaitanyaNaykodi-MSFT 27,471 Reputation points Microsoft Employee Moderator
2023-08-17T02:57:06.05+00:00 Based on your comment above. I did not observe any issue with the exclusion rule, as you tried with both
RequestHeaderNamesandRequestHeaderValuesand as disabling the 920160 rule allowed the traffic to flow.Regarding content-type as
application/x-www-form-urlencodedis supported by WAF and is documented here.I think we need deeper investigation to resolve this issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.
Subject : Attn Chaitanya
Thread URL: Link to this thread.
Subscription ID
Please let me know once you have done the same.
-
ChaitanyaNaykodi-MSFT 27,471 Reputation points Microsoft Employee Moderator
2023-08-18T23:12:11.4833333+00:00 I have replied to your email just now.
Sign in to comment
Sign in to answer