Hi everyone, We are experiencing some problems in adding exclusions to rule 931130 RFI Attack: Off-Domain Reference The logs say something like this: details_message_s : Pattern match ^(?i:file|ftps?|https?)://(. )$; Begin With RequestHeaders:host at TX:rfi_parameter_. . details_data_s : Matched Data: https://contoso.sharepoint.com/ *

Hello @Marco Lodini , I understand that you were experiencing some problems in adding exclusions to rule 931130 RFI Attack: Off-Domain Reference in Application Gateway v2 WAF. The WAF log is as below : details_message_s: Pattern match ^(?i:file|ftps?|https?)://(.)$; Begin With RequestHeaders:host at TX:rfi_parameter_.. details_data_s: Matched Data: https://contoso.sharepoint.com/ <sharepoint site and folder path> found within TX:rfi_parameter_args:sharepointfolderurl: contoso.sharepoint.com/<sharepoint site and folder path> We discussed this issue offline and collected HAR file to analyze the issue further. We tried a couple of exclusions but they didn't work. So, we created a support case and apparently, it was a propagation delay. You ran tests too soon, before the system could update its configuration and hence the exclusions were not showing up. The issue was resolved by excluding the parameter name in the Request Args as below: Request args name contains sharepointfolderurl Kindly let us know if the above helps or you need further assistance on this issue. ---------------------------------------------------------------------------------------------------------------- Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Application Gateway v2 WAF - RFI exclusions not working

Accepted answer

GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee

2022-08-04T18:05:02.427+00:00

Hello @Marco Lodini ,

I understand that you were experiencing some problems in adding exclusions to rule 931130 RFI Attack: Off-Domain Reference in Application Gateway v2 WAF. The WAF log is as below :
details_message_s: Pattern match ^(?i:file|ftps?|https?)://(.)$; Begin With RequestHeaders:host at TX:rfi_parameter_..
details_data_s: Matched Data: https://contoso.sharepoint.com/<sharepoint site and folder path> found within TX:rfi_parameter_args:sharepointfolderurl: contoso.sharepoint.com/<sharepoint site and folder path>

We discussed this issue offline and collected HAR file to analyze the issue further. We tried a couple of exclusions but they didn't work. So, we created a support case and apparently, it was a propagation delay. You ran tests too soon, before the system could update its configuration and hence the exclusions were not showing up.

The issue was resolved by excluding the parameter name in the Request Args as below:
Request args name contains sharepointfolderurl

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

1 person found this answer helpful.
Aravindhan 6 Reputation points

2022-09-01T09:33:43.84+00:00

@GitaraniSharma-MSFT Do you know how long should we wait before the retesting?

Ramakrishnan Venkataraman 46 Reputation points

2022-11-09T13:51:54.447+00:00

@GitaraniSharma-MSFT Hi Gitarani, we have exact issue. We are running WAF v2 tier. We have SAP application (SaaS) based I would presume changing the code at source side is not feasible. Can you please advise. For this same url we had hit by one more rule 920320 user agent is missing, having said that source is SaaS based so adjusting the code is quite not feasible. Is that advisable to disable the rules. We have polices only for those listeners, so would not impact other services.

Aravindhan 6 Reputation points

2022-11-09T14:41:20.237+00:00

Hi @Ramakrishnan Venkataraman In my case , I used other option available like Request query. you can get hold of it by checking the application access logs.

Ariel Gonzalez 96 Reputation points

2022-12-22T01:56:00.563+00:00

Hi @GitaraniSharma-MSFT ,

I've tried configuring WAF exclusions before and sometimes I feel like any "value" or "key" options don't work properly, only the ones that say "name" are able to pick up the value correctly, in this case it's "sharepointfolderurl"

It's my understanding that for example in a query string this could be something like /function?url=https://www.contoso.com/ where "url" should be the "key" and "https://www.contoso.com/" should be the "value" but they don't work. Could you please confirm if I'm misunderstanding these concepts or if there is something wrong with WAF?

Something interesting that I've noticed is that "value" is able to exclude what in a normal scenario would be considered a "key", in my previous example it would be "url". This is very confusing, and I hope you can provide some feedback on this.

I would also like to know what's the difference between the options that have "name" and the ones that have "key", my logic tells me they are the same.

Marco Lodini 46 Reputation points

2022-12-25T21:17:09.027+00:00

Hi @Aravindhan , in our case it took around 10 or more minutes to apply correctly, but usually is quite fast and you can notice the differences in the next seconds/minutes.

Guillermo Bandres Magallon 1 Reputation point

2023-05-11T06:42:09.55+00:00

Hi, we are experimenting the same issue, and I'm created the exception as you said, but it didn't work. It happened to me with different values, this is one of them:

Matched Data: https://domain.com/global/en/news found within TX:rfi_parameter_args:feeds.feed.name: domain/global/en/news

Is there any other solution for that? Thank you!
Sign in to comment

Share via

Application Gateway v2 WAF - RFI exclusions not working

0 additional answers