Share via

Application Gateway WAF v2 and JSON property called base64

Jarno Leikas 20 Reputation points
2024-05-20T14:12:52.28+00:00

Hi,

I need to configure some exclusions for base64 encoded data passed in a JSON body through Azure Application Gateway.

Currently, the WAF is blocking my requests, and it outputs the following log entry:

  • ruleId_s: 941130
  • details_message_s: Pattern match (?i)[\s\S]((?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|formaction|\@import|base64)\b|pattern\b.*?=) at ARGS_NAMES.
  • details_data_s:{.base64 found within [ARGS_NAMES:attachments.base64]}

Should I interpret this as follows: "It is not allowed to have a property name "base64" anywhere in a request body"?

The only way I've been able to work around this issue is to disable this rule (or change behavior to just logging), but of course that removes all the other checks as well -- and the setting is needlessly broad.

What I would like to achieve is to

  1. Allow a property called base64 - ideally just for a specific url path in the application. It would be optimal if I wouldn't have to disable the whole rule 941130 for the application.
  2. (I also need to add some exclusions to the property values as well, but that I can achieve by adding required exclusions based on the RequestArgNames)

Is this possible?

Thank you for your help.

P.S., I guess it would be better to send the base64 encoded attachment data as actual attachments instead of sending them as a part of the JSON request, but I do not have control over that implementation.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
988 questions
0 comments
Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,991 Reputation points Microsoft Employee
    2024-05-20T15:40:12.92+00:00

    @Jarno Leikas

    Thank you for reaching out.

    Based on your response above

    I guess I can add a separate exclusion for rule 941130 by matching variables as "RequestArgNames starts with attachments".

    Yes your guess is correct here, I think adding an exclusion rule in this manner should help.

    User's image

    The request was blocked as the Arg Name contained base64 string and the exclusion rule above should help in by passing this block. This the OWASP implementation for this rule.

    Adding an exclusion is definitely better than disabling the rule.

    Based on your statement above

    The only way I've been able to work around this issue is to disable this rule (or change behavior to just logging), but of course that removes all the other checks as well -- and the setting is needlessly broad.

    I understand that disabling the rule has a broader effect and to prevent that you can use Per-URI policy in cases where applying an exclusion is not possible and you need to disable the rule. This way the rule is disabled for that particular path only.

    Hope this helps. Please let me know if you have any questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jarno Leikas 20 Reputation points
    2024-05-20T14:21:39.07+00:00

    Well, answering to myself - because the full property name is attachments.base64, I guess I can add a separate exclusion for rule 941130 by matching variables as "RequestArgNames starts with attachments".

    0 comments