Hello, I need to ignore a specific OWASP rule in my WAF V2. I have multiple requests with different request URIs, for example, https://www.example.com/abc/def/xy In add exclusion, waf consider just the "Request headers," "Cookie," and "Arg"

@SLIMANI Smail OBS/DD Thank you for reaching out. I understand that you want to disable a specific owasp 3.2 rule for a specific URI for the Application Gateway WAF_v2 SKU and I understand that exclusion rule can be only applied for Request headers," "Cookie," and "Arg". The recommended solution in such scenarios is to add a different WAF policy to that specific URI https://www.example.com/abc/def/xy and then disable the specific owasp 3.2 rule. This way rest of the URI's are evaluated for the specific owasp 3.2 rule. To achieve this you check this documentation here to enable a Per-URI policy. For even more customization down to the URI level, you can associate a WAF policy with a path-based rule. If there are certain pages within a single site that require different policies, you can make changes to the WAF policy that only affect a given URI. This might apply to a payment or sign-in page, or any other URIs that need an even more specific WAF policy than the other sites behind your WAF. As with per-site WAF policies, more specific policies override less specific ones. This means a per-URI policy on a URL path map overrides any per-site or global WAF policy above it. You can follow this documentation for implementing Per-URI policy . Hope this helps! Please let me know if you have any additional questions. Thank you! Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

how to disable specific owasp 3.2 rule for a specific URI in azure waf v2

Accepted answer

ChaitanyaNaykodi-MSFT 23,426 Reputation points Microsoft Employee

2023-11-17T17:52:18.4966667+00:00

@SLIMANI Smail OBS/DD

Thank you for reaching out. I understand that you want to disable a specific owasp 3.2 rule for a specific URI for the Application Gateway WAF_v2 SKU and I understand that exclusion rule can be only applied for Request headers," "Cookie," and "Arg".

The recommended solution in such scenarios is to add a different WAF policy to that specific URI https://www.example.com/abc/def/xy and then disable the specific owasp 3.2 rule. This way rest of the URI's are evaluated for the specific owasp 3.2 rule.

To achieve this you check this documentation here to enable a Per-URI policy.

For even more customization down to the URI level, you can associate a WAF policy with a path-based rule. If there are certain pages within a single site that require different policies, you can make changes to the WAF policy that only affect a given URI. This might apply to a payment or sign-in page, or any other URIs that need an even more specific WAF policy than the other sites behind your WAF. As with per-site WAF policies, more specific policies override less specific ones. This means a per-URI policy on a URL path map overrides any per-site or global WAF policy above it.

You can follow this documentation for implementing Per-URI policy.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
SLIMANI Smail OBS/DD 40 Reputation points

2023-11-20T20:13:39.21+00:00

Hello;

Do you mean that Custom rules are more prirority than Managed rules ?
In my case, All Rules for OWASP_3.2 are enabled and I need to allow some RequestUri like (/smail/page/2, /smail/poste?number=65&name=wp,....) without disabling rules for OWASP_3.2.

Regards,

ChaitanyaNaykodi-MSFT 23,426 Reputation points Microsoft Employee

2023-11-21T02:15:38.0733333+00:00

@SLIMANI Smail OBS/DD

Thank you for getting back and sharing additional details.

In case you want to allow specific RequestUri without disabling rules for OWASP_3.2 then please do not implement the solution I provided above. The solution I suggested above was for disabling a specific owasp 3.2 rule for a specific URI in azure waf v2 as I thought this was the requirement.

In this case to allow specific RequestUri without disabling OWASP_3.2 managed rules then yes, you can configure a Custom rule and set the condition for a RequestUri equals to /smail/page/2, /smail/poste.

Custom rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow, block, or log). If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated.

In RequestUri examples you shared above. The value of RequestUri will be just the path /smail/page/2 and /smail/poste. The ?number=65&name=wp is the part of the query string is not included in RequestUri.

So as per the examples above you can set the custom rule in the following way.

Additional references:

https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

https://learn.microsoft.com/en-us/answers/questions/687101/azure-waf-whitelist-requesturi

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

SLIMANI Smail OBS/DD 40 Reputation points

2023-11-21T08:23:48.9333333+00:00

Hello,

Thanks for your response.

I confirm that this solution is functional, however I wanted to further strengthen my security in custom rules for specific request, I test it with QueryString but is not work.

https://www.smailsite.com/smail/sm/sm.php --> it'is good with RequestUri
Other cases:

https://www.smailsite.com/smail/sm/sm.php?post=66&action=edit&name=ok

https://www.smailsite.com/sm/smail/admin.php?page=xxx

I want to add condition like RequestUri =/sm/smail/admin.php and (x1=post and x2=66 and x3=action and x4=edit and ...) ?
Which parameter corresponds x1, x2, x3, x4 .. and How I can respect the ordre for each one ?

Regards,

ChaitanyaNaykodi-MSFT 23,426 Reputation points Microsoft Employee

2023-11-22T04:38:56.12+00:00

@SLIMANI Smail OBS/DD

Thank you for getting back.

I understand you already tried using the QueryString parameter, but did you try using it with the operator Contains in the rule?
If you have already tried this. Based on your statement above

I want to add condition like RequestUri =/sm/smail/admin.php and (x1=post and x2=66 and x3=action and x4=edit and ...) ?

Is the requirement here to assign the key value pairs of the query string into variables like x1, x2, x4... and then apply conditions? If you can share a scenario that will help me understand the requirement more clearly. Thank you!

SLIMANI Smail OBS/DD 40 Reputation points

2023-11-22T09:50:20.2566667+00:00

Hello @ChaitanyaNaykodi-MSFT

After verfication the logs of the WAF, my requestUri equal "/smail/sm/sm.php?post=66&action=edit&name=ok" and not just "/smail/sm/sm.php".

It's work for me, thank you for your help.

Regards,
Sign in to comment

Share via

how to disable specific owasp 3.2 rule for a specific URI in azure waf v2

0 additional answers