Share via

Best practices to reduce false positives for ASP.Net WebForms application in Application Gateway WAF

vijay rakshith 6 Reputation points
2021-08-02T17:43:46.873+00:00

We has ASP.Net Webforms (legacy) application. This is a public facing website which has Azure Application Gateway configured along with WAF V2. The default rule set is set to OWSAP 3.0. As a result of this WAF configuration, each web request is getting evaluated against the OWSAP 3.0 ruleset and this is slowing down the performance of the application. This happens only when there is a partial update or post back happening on the ASP.Net web page. We disabled the WAF and the application performance is good. Diagnostics was turned on and we can clearly see in the Azure Log Analytics, potential threat for SQL injection, CSS, sequence identification etc flags being flagged. Majority of them are false positives.
Question:
a) Have you come across this situation earlier?
b) Are there any rules from the OWSAP 3.0 that can be turned off?
c) Do you have the best practices to configure WAF for ASP.NET Webforms?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,213 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2021-08-06T11:56:18.273+00:00

    Hello @vijay rakshith ,

    Apologies for the delay in response.

    Please find the answers to your queries below:

    a) The OWASP rulesets are designed to be very strict out of the box, and to be tuned to suit the specific needs of the application or organization using WAF. It is entirely normal, and actually expected in many cases that you may encounter false positives.

    b) The purpose of WAF logs is to show every request that is matched or blocked by the WAF. If you notice that the WAF blocks a request that it shouldn't (a false positive), you can do a few things. First, narrow down, and find the specific request. When you find the associated log entries, you can begin to act on the false positives. You can do either of the following:

    1. Use an Exclusion List : One benefit of using an exclusion list is that only a specific part of a request is being disabled.
    2. Disable the rule : Another way to get around a false positive is to disable the rule that matched on the input the WAF thought was malicious.

    Reference : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot

    c) We do not have a specific best practice recommendation to configure WAF for ASP.NET Webforms. You need to familiarize yourself with the technologies your application uses and make an informed decision about handling a false positive.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.