XSS Filter - Category 3: Attribute Vector
This error is coming in azure waf logs so it is false promise or correct promise how to identify. How to resolve this issue any idea
How to fix Failed to parse request body, Multipart request body failed strict validation
This error is coming in azure waf logs so it is false promise or correct promise how to identify. How to resolve this issue any idea
Request Header Cookies Exclusion Causes 403
We need to exclude request cookies from evaluation for a number of OWASP rules as cookies often randomly generate threats that are false positives for legitimate users. There is no clear documentation on how to exclude REQUEST_COOKIES, so we tried adding…
Confuse in Azure WAF behavior with different browsers
Hello, I have an Azure Application gateway (WAF) that prevention mode is enabled and the OWASP 3 and the Microsoft Bot rule are activate. I checked my web application with chrome and refresh and sent many requests with Chrome. Now I received 403…
False positives elimination in Azure WAF
Hello We have adopted for Azure WAF in our environment, as of now WAF is in detection mode we want to move it to prevention mode, but before doing it we want to identify which detections are legitimate and which are not. we have sentinel workbooks to…
WAF drop silently instead of returning 403
Hi, is it possible, when using WAF, silently drop requests, coming from forbidden clients, instead of returning 403? We are using custom rules, where allowed IP addresses are described. So all requests from remote location, which aren't in allowed list,…
How to exception "920440 - URL file extension is restricted by policy" rule in some use-case without decrease security or risk?
Some times app and client needs to download the some DLL files and the WAF blocked request based on "920440 - URL file extension is restricted by policy" role. Show in the below sample log: requestUri_s:…
Why does WAF block WebResource.axd / ScriptResource.axd?
In rule Microsoft_DefaultRuleSet-2.1-PROTOCOL-ENFORCEMENT-920440, among other things, it blocks WebResource.axd and ScriptResource.axd. The blocks are probably due to CVE-2010-3332 which have long since been patched. Why does WAF still have this as a…
How to resolve 403 errors for a service after changing WAF policy to protection mode?
We created a WAF policy with DETECTION mode on an application gateway but had to change it to PROTECTION mode as per security rules. Since then, there are 403 errors for one service. How can we resolve this issue?…
WAF v2 - Exclusion lists
Hi, I configured an Application Gateway with Web Application Firewall in Azure. I am receiving several false positive blocks for the application that communicates with the gateway. I checked the Microsoft tutorial on the exclusion list, but I'm not sure…
Azure WAF success stories
Where can I find a report looking back two years on Azure WAF success stories?
Azure WAF Exclusion Issue
Hi I'm trying to whitelist a request on the WAF. I have gone through the Microsoft URL and I know how to manage exclusions yet the exclusion keeps failing. Below is the request I need to add Below is my exclusion policy
How to associate WAF to an existing Application Gateway using REST API
Hello team, We have an existing application gateway, and I want to automate associating a WAF policy on this existing gateway. I am using Ansible URI module to achieve this, hence exploring API for WAF Association. I want to achieve association using…
Azure Gateway File Upload Limits (4GB) even if Policy to inspect body is disabled or exclusion rules applied
We are receiving the following HTTP errors when uploading files larger than 4GB. 413 Request Entity Too Large 413 Request Entity Too Large Microsoft-Azure-Application-Gateway/v2 According to official MS Azure documentation* its states the…
we cannot see the request in the firewall logs from application gateway
When we send the request from postman API request is getting success also seen in database(ssms), application gateway but we cannot see the request in the firewall logs what is the issues and how to solve this error we are using this below query in…
how to disable specific owasp 3.2 rule for a specific URI in azure waf v2
Hello, I need to ignore a specific OWASP rule in my WAF V2. I have multiple requests with different request URIs, for example, https://www.example.com/abc/def/xy In add exclusion, waf consider just the "Request headers," "Cookie,"…
How do we configure alerts for azure web application firewall.
Hello, We are trying to configure alerts for azure-WAF mostly focusing on the blockers when there is a blocker on the firewall due to a request we have to receive alerts and information. Any suggestions could be helpful. Thanks.
中国地区ssh可以登录微软云服务器,web页面无法访问
中国地区ssh可以登录微软云服务器,web页面无法访问搭建在微软云服务器上的web服务,
Azure Web Application Firewall- Microsoft_BotManagerRuleSet_1.0
This post is regarding the azure WAF unknown bots and its rules at the moment for us rule id 300700 'other bots' is being logging with errors for various API'S, i didn't see any information can anyone has more inputs on the existing issue will be…
Best Approach to Restrict Browser Access to Azure Web App Services' Backend while Permitting Front-end and API Requests through Application Gateway with WAF
We have a setup consisting of Azure Web App Services for both front-end and back-end operations, integrated with an Application Gateway and a single Web Application Firewall (WAF) configured in a multitenant environment. Our primary concern is…