Share via

Configuring exclusions on Applicaiton Gateway WAF

Ashish Gupta 1 Reputation point
2022-03-07T18:21:46.043+00:00

Hello,

At present we are using an Application Gateway WAFv2 (in monitor mode) for web applications hosted on the backend VMs.
We want to move the WAF to prevent mode, but based on the logs collected we think many legitimate requests will be blocked, a couple of examples below from raw logs.

Example 1:

Message: SQL Comment Sequence Detected.
Details: Matched Data: --Oah7wZ- found within REQUEST_COOKIES:CSRF-TOKEN: TG_scALEOMe2ABNLDOtDPYwdAEO1KKZ69iB6UgTXMHuswD2_YTyz_qnsE0Arh5izNq4_FzVEG2l2gNKos1rbDJcxH--Oah7wZ-dUFpE3bZo1

From what I have understood the above request got "detected" because of "--" in the "REQUEST_COOKIES:CSRF-TOKEN:" section. I wanted to understand what would an exclusion here look like? I hope the exclusion would work such that the WAF would not evaluate any string like this "--" detected in the "REQUEST_COOKIES:CSRF-TOKEN:" section of the incoming request.

Example 2:

Message: HTTP Header Injection Attack via payload (CR/LF detected)
Details: Matched Data: \x0d found within ARGS_GET:code: null\xbf'\xbf''\x22'\x22\x5c\x5c\x5c\x0d\x0a##

In this case the above request got "detected" because of "\x0d" in the "code" section. How should I configure the exclusion such that whenever \x0d is detected in the "code" part of the request, it does not get evaludated by the WAF.

I can help add more information if required.

Thanks,
Ashish.

Azure Web Application Firewall

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 23,816 Reputation points Microsoft Employee
    2022-03-10T23:53:48.017+00:00

    Hello @Ashish Gupta , As Web Application Firewall utilizes Open Web Application Security Project (OWASP) rules to grant protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc. This is an open-source project.
    The Methodology here is to.

    1. Identify the rule which is blocking this issue: You can identify this via OWASP GitHub Repo where the details.file represents the file and details.line will represent the rule section which was triggered. For example 1 above this rule was triggered. You can also have a look at the severity of this rule.
    2. Check if it is possible to modify the application so that this rule is not hit.
    3. If it is not possible to modify the application, check if you can disable the rule which was hit based on your application behavior and set-up or it is possible to add an exclusion rule.
    4. If adding exclusion rule is not possible check if you can add a custom rule instead. Just be aware that custom rule has more priority than the Managed rules above and is evaluated first.

    If you are trying to add an exclusion list as mentioned in the documentation you referred above. The following attributes can only be added to exclusion lists by name. The values of the chosen field aren't evaluated against WAF rules.

    • Request Headers
    • Request Cookies
    • Request attribute name (args)

    As per my understanding in the example 1 above you can add Request Cookie "CSRF-TOKEN" in the exclusion list so that its value is not evaluated by WAF. It is recommended to test the Exclusion List in detection mode to validate if the requests are not blocked.
    Hope this helps! Please let me know if you have any additional questions. I will be glad to continue with our discussion. Thank you!