Azure WAF OWASP 920470 false positive

VS 0 Reputation points
2023-09-07T07:00:46.59+00:00

Azure App gateway WAF V2 detects multiform content type as a threat with following message:

Pattern match ^[\w\d/.-+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['"\w\d.-]+)?$ at REQUEST_HEADERS:content-type.

Isn't "boundry" expected parameter for multiform uploads?

Is there a way to overcome this limitation for this rule in WAF V2?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
956 questions
Azure Web Application Firewall
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee
    2023-09-07T15:11:29.5633333+00:00

    Hello @VS ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that your Azure App gateway WAF V2 OWASP rule 920470 detects multiform content type as a threat with following message: "Pattern match ^[\w\d/.-+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['"\w\d.-]+)?$ at REQUEST_HEADERS:content-type" and you would like to know if there a way to overcome this limitation for this rule in WAF V2.

    To fix false positives, you could try one of the below:

    • Use an exclusion list.
    • Disable the rule.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#fixing-false-positives

    1. You could try to add a WAF exclusion list with below config:

    User's image

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal

    1. Or disable the OWASP rule 920470.

    NOTE: Disabling the rule will allow you to parse any/all "Content-Type" values.

    To avoid the above scenario, and if you don't want to expose the whole application to allow customized Content-Types, you can create a new WAF policy, disable the rules and attach it only to a specific URI/path/route.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview

    Another workaround is to remove the global exclusion, disable the rule (920470) and create a custom rule to deny traffic for all "Content-Type" and allow only the ones you want as below:

    User's image

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.