List of characters or strings blocked in Azure frontdoor WAF policies

Question

List of characters or strings blocked in Azure frontdoor WAF policies

Ritika Laddha 170

Hi,

I am need of document link, where I can find what special characters are blocked under which Frontdoor WAF policy.

I am at premium tier of Azure Frontdoor and WAF policies.

Ritika Laddha 170 Reputation points

2025-03-26T14:15:29.6733333+00:00

Hello @Ganesh Patapati
Actually we wanted to list the special characters or strings blocked in our documentation

I understand we can add exclusions, but we do not want to exclude things which are blocked. That's why we wanted to add the special characters or strings not allowed, to be listed upfront.
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-03-26T14:41:21.0033333+00:00

@Ritika Laddha
Thanks for the reply!Firstly, you need to enable the diagnostic logging for your WAF policy to identify specific characters or strings that are being blocked. Logs provide insights into which rules are triggered and why. helping you identify blocked characters or patterns.

Please follow this GitHub document that will help you to identify the false positives.

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/web-application-firewall/afds/waf-front-door-tuning.md#understand-waf-logs

Also, please let us know which documentation you are referring.

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Ritika Laddha 170 Reputation points

2025-03-27T10:50:36.3033333+00:00

@Ganesh Patapati
I understand we can find the blocked character in log analytics and then we can add the exclusion.

But is there any documentation where I can find this list of special characters and strings blocked beforehand?
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-03-28T12:07:05.77+00:00

Hello Ritika Laddha

Azure Web Application Firewall (WAF) policies use predefined rule sets, such as the OWASP Core Rule Set (CRS), to block potentially harmful characters and strings. While there isn't a specific list of blocked characters and strings, the rules target patterns commonly associated with attacks like SQL injection, cross-site scripting (XSS), and command injection.

By default, you will not receive detailed information on values or headers in the document. You need to check the WAF logs to identify which rule ID is triggering. In the detailed information, you will find the header values, request body and argument values.

Using this information, you need to create an exclusion, log option, or disable the rule based on your requirement.

Accepted answer

0 additional answers

Your answer

Ritika Laddha 170 Reputation points

2025-03-26T14:15:29.6733333+00:00

Hello @Ganesh Patapati
Actually we wanted to list the special characters or strings blocked in our documentation

I understand we can add exclusions, but we do not want to exclude things which are blocked. That's why we wanted to add the special characters or strings not allowed, to be listed upfront.
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-03-26T14:41:21.0033333+00:00

@Ritika Laddha
Thanks for the reply!Firstly, you need to enable the diagnostic logging for your WAF policy to identify specific characters or strings that are being blocked. Logs provide insights into which rules are triggered and why. helping you identify blocked characters or patterns.

Please follow this GitHub document that will help you to identify the false positives.

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/web-application-firewall/afds/waf-front-door-tuning.md#understand-waf-logs

Also, please let us know which documentation you are referring.

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Ritika Laddha 170 Reputation points

2025-03-27T10:50:36.3033333+00:00

@Ganesh Patapati
I understand we can find the blocked character in log analytics and then we can add the exclusion.

But is there any documentation where I can find this list of special characters and strings blocked beforehand?
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-03-28T12:07:05.77+00:00

Hello Ritika Laddha

Azure Web Application Firewall (WAF) policies use predefined rule sets, such as the OWASP Core Rule Set (CRS), to block potentially harmful characters and strings. While there isn't a specific list of blocked characters and strings, the rules target patterns commonly associated with attacks like SQL injection, cross-site scripting (XSS), and command injection.

By default, you will not receive detailed information on values or headers in the document. You need to check the WAF logs to identify which rule ID is triggering. In the detailed information, you will find the header values, request body and argument values.

Using this information, you need to create an exclusion, log option, or disable the rule based on your requirement.

Answer 1

Hello Ritika Laddha

To identify the special characters and strings blocked by Azure Front Door WAF policies you can check the below things.

Azure Front Door WAF uses managed rule sets, such as the OWASP Core Rule Set (CRS). These rules are designed to detect and block common attack patterns, including SQL injection, cross-site scripting (XSS), and more. You can find details about these rules in the Azure documentation.
You can also enable diagnostic logging for your WAF policy, and these logs will help in showing which rules were triggered and why, helping you identify blocked characters or patterns.

Refer this GitHub article: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/web-application-firewall/afds/waf-front-door-tuning.md#understand-waf-logs

If certain characters or strings are being blocked incorrectly, you can create custom rules or use exclusion lists to allow specific requests. Learn more about configuring exclusions here. Web application firewall exclusion lists in Azure Front Door | Microsoft Learn

NOTE: Azure Web Application Firewall (WAF) policies use predefined rule sets, such as the OWASP Core Rule Set (CRS), to block potentially malicious characters and strings. While there isn't a single predefined list of blocked characters and strings, the rules target patterns commonly associated with attacks like SQL injection, cross-site scripting (XSS), and command injection.

Please do consider to “up-vote” and "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

Share via

List of characters or strings blocked in Azure frontdoor WAF policies

0 additional answers

Your answer