Edit

Web Application Firewall CRS rule groups and rules

  • Article
  • 32 minutes to read

Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9. Rules can be disabled on a rule-by-rule basis, or you can set specific actions by individual rule. This article contains the current rules and rule sets offered. In the rare occasion that a published ruleset needs to be updated, it will be documented here.

Core rule sets

The Application Gateway WAF comes pre-configured with CRS 3.2 by default, but you can choose to use any other supported CRS version.

CRS 3.2 offers a new engine and new rule sets defending against Java injections, an initial set of file upload checks, and fewer false positives compared with earlier versions of CRS. You can also customize rules to suit your needs. Learn more about the new Azure WAF engine.

Manages rules

The WAF protects against the following web vulnerabilities:

  • SQL-injection attacks
  • Cross-site scripting attacks
  • Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion
  • HTTP protocol violations
  • HTTP protocol anomalies, such as missing host user-agent and accept headers
  • Bots, crawlers, and scanners
  • Common application misconfigurations (for example, Apache and IIS)

CRS is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Core Rule Set to meet your application requirements. You can also set specific actions per rule. The CRS supports block, log and anomaly score actions. The Bot Manager ruleset supports the allow, block and log actions.

Sometimes you might need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You can configure exclusions to apply when specific WAF rules are evaluated, or to apply globally to the evaluation of all WAF rules. Exclusion rules apply to your whole web application. For more information, see Web Application Firewall (WAF) with Application Gateway exclusion lists.

By default, CRS version 3.2 and above will leverage anomaly scoring when a request matches a rule, CRS 3.1 and below will block matching requests by default. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Core Rule Set.

Custom rules are always applied before rules in the Core Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Core Rule Set are processed.

Anomaly scoring

When you use CRS, your WAF is configured to use anomaly scoring by default. Traffic that matches any rule isn't immediately blocked, even when your WAF is in prevention mode. Instead, the OWASP rule sets define a severity for each rule: Critical, Error, Warning, or Notice. The severity affects a numeric value for the request, which is called the anomaly score:

Rule severity Value contributed to anomaly score
Critical 5
Error 4
Warning 3
Notice 2

If the anomaly score is 5 or greater, and the WAF is in Prevention mode, the request is blocked. If the anomaly score is 5 or greater, and the WAF is in Detection mode, the request is logged but not blocked.

For example, a single Critical rule match is enough for the WAF to block a request when in Prevention mode, because the overall anomaly score is 5. However, one Warning rule match only increases the anomaly score by 3, which isn't enough by itself to block the traffic. When an anomaly rule is triggered, it shows a "Matched" action in the logs. If the anomaly score is 5 or greater, there is a separate rule triggered with either "Blocked" or "Detected" action depending on whether WAF policy is in Prevention or Detection mode. For more information, please see Anomaly Scoring mode.

OWASP CRS 3.2

CRS 3.2 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled. The ruleset is based off OWASP CRS 3.2.0 version.

Note

CRS 3.2 is only available on the WAF_v2 SKU. Because CRS 3.2 runs on the new Azure WAF engine, you can't downgrade to CRS 3.1 or earlier. If you need to downgrade, contact Azure Support.

Rule group Description
General General group
KNOWN-CVES Help detect new and known CVEs
REQUEST-911-METHOD-ENFORCEMENT Lock-down methods (PUT, PATCH)
REQUEST-913-SCANNER-DETECTION Protect against port and environment scanners
REQUEST-920-PROTOCOL-ENFORCEMENT Protect against protocol and encoding issues
REQUEST-921-PROTOCOL-ATTACK Protect against header injection, request smuggling, and response splitting
REQUEST-930-APPLICATION-ATTACK-LFI Protect against file and path attacks
REQUEST-931-APPLICATION-ATTACK-RFI Protect against remote file inclusion (RFI) attacks
REQUEST-932-APPLICATION-ATTACK-RCE Protect again remote code execution attacks
REQUEST-933-APPLICATION-ATTACK-PHP Protect against PHP-injection attacks
REQUEST-941-APPLICATION-ATTACK-XSS Protect against cross-site scripting attacks
REQUEST-942-APPLICATION-ATTACK-SQLI Protect against SQL-injection attacks
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION Protect against session-fixation attacks
REQUEST-944-APPLICATION-ATTACK-JAVA Protect against JAVA attacks

OWASP CRS 3.1

CRS 3.1 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled. The ruleset is based off OWASP CRS 3.1.1 version.

Note

CRS 3.1 is only available on the WAF_v2 SKU.

Rule group Description
General General group
KNOWN-CVES Help detect new and known CVEs
REQUEST-911-METHOD-ENFORCEMENT Lock-down methods (PUT, PATCH)
REQUEST-913-SCANNER-DETECTION Protect against port and environment scanners
REQUEST-920-PROTOCOL-ENFORCEMENT Protect against protocol and encoding issues
REQUEST-921-PROTOCOL-ATTACK Protect against header injection, request smuggling, and response splitting
REQUEST-930-APPLICATION-ATTACK-LFI Protect against file and path attacks
REQUEST-931-APPLICATION-ATTACK-RFI Protect against remote file inclusion (RFI) attacks
REQUEST-932-APPLICATION-ATTACK-RCE Protect again remote code execution attacks
REQUEST-933-APPLICATION-ATTACK-PHP Protect against PHP-injection attacks
REQUEST-941-APPLICATION-ATTACK-XSS Protect against cross-site scripting attacks
REQUEST-942-APPLICATION-ATTACK-SQLI Protect against SQL-injection attacks
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION Protect against session-fixation attacks
REQUEST-944-APPLICATION-ATTACK-SESSION-JAVA Protect against JAVA attacks

OWASP CRS 3.0

CRS 3.0 includes 13 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled. The ruleset is based off OWASP CRS 3.0.0 version.

Rule group Description
General General group
KNOWN-CVES Help detect new and known CVEs
REQUEST-911-METHOD-ENFORCEMENT Lock-down methods (PUT, PATCH)
REQUEST-913-SCANNER-DETECTION Protect against port and environment scanners
REQUEST-920-PROTOCOL-ENFORCEMENT Protect against protocol and encoding issues
REQUEST-921-PROTOCOL-ATTACK Protect against header injection, request smuggling, and response splitting
REQUEST-930-APPLICATION-ATTACK-LFI Protect against file and path attacks
REQUEST-931-APPLICATION-ATTACK-RFI Protect against remote file inclusion (RFI) attacks
REQUEST-932-APPLICATION-ATTACK-RCE Protect again remote code execution attacks
REQUEST-933-APPLICATION-ATTACK-PHP Protect against PHP-injection attacks
REQUEST-941-APPLICATION-ATTACK-XSS Protect against cross-site scripting attacks
REQUEST-942-APPLICATION-ATTACK-SQLI Protect against SQL-injection attacks
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION Protect against session-fixation attacks

OWASP CRS 2.2.9

CRS 2.2.9 includes 10 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.

Note

CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest CRS version.

Rule group Description
crs_20_protocol_violations Protect against protocol violations (such as invalid characters or a GET with a request body)
crs_21_protocol_anomalies Protect against incorrect header information
crs_23_request_limits Protect against arguments or files that exceed limitations
crs_30_http_policy Protect against restricted methods, headers, and file types
crs_35_bad_robots Protect against web crawlers and scanners
crs_40_generic_attacks Protect against generic attacks (such as session fixation, remote file inclusion, and PHP injection)
crs_41_sql_injection_attacks Protect against SQL-injection attacks
crs_41_xss_attacks Protect against cross-site scripting attacks
crs_42_tight_security Protect against path-traversal attacks
crs_45_trojans Protect against backdoor trojans

Bot rules

You can enable a managed bot protection rule set to take custom actions on requests from all bot categories.

Rule group Description
BadBots Protect against bad bots
GoodBots Identify good bots
UnknownBots Identify unknown bots

The following rule groups and rules are available when using Web Application Firewall on Application Gateway.

3.2 rule sets

General

RuleId Description
200002 Failed to Parse Request Body.
200003 Multipart Request Body Strict Validation.
200004 Possible Multipart Unmatched Boundary.

KNOWN-CVES

RuleId Description
800100 Rule to help detect and mitigate log4j vulnerability CVE-2021-44228, CVE-2021-45046
800110 Spring4Shell Interaction Attempt
800111 Attempted Spring Cloud routing-expression injection - CVE-2022-22963
800112 Attempted Spring Framework unsafe class object exploitation - CVE-2022-22965
800113 Attempted Spring Cloud Gateway Actuator injection - CVE-2022-22947

REQUEST-911-METHOD-ENFORCEMENT

RuleId Description
911100 Method is not allowed by policy

REQUEST-913-SCANNER-DETECTION

RuleId Description
913100 Found User-Agent associated with security scanner
913101 Found User-Agent associated with scripting/generic HTTP client
913102 Found User-Agent associated with web crawler/bot
913110 Found request header associated with security scanner
913120 Found request filename/argument associated with security scanner

REQUEST-920-PROTOCOL-ENFORCEMENT

RuleId Description
920100 Invalid HTTP Request Line
920120 Attempted multipart/form-data bypass
920121 Attempted multipart/form-data bypass
920160 Content-Length HTTP header is not numeric.
920170 GET or HEAD Request with Body Content.
920171 GET or HEAD Request with Transfer-Encoding.
920180 POST request missing Content-Length Header.
920190 Range: Invalid Last Byte Value.
920200 Range: Too many fields (6 or more)
920201 Range: Too many fields for pdf request (35 or more)
920202 Range: Too many fields for pdf request (6 or more)
920210 Multiple/Conflicting Connection Header Data Found.
920220 URL Encoding Abuse Attack Attempt
920230 Multiple URL Encoding Detected
920240 URL Encoding Abuse Attack Attempt
920250 UTF8 Encoding Abuse Attack Attempt
920260 Unicode Full/Half Width Abuse Attack Attempt
920270 Invalid character in request (null character)
920271 Invalid character in request (non printable characters)
920272 Invalid character in request (outside of printable chars below ascii 127)
920273 Invalid character in request (outside of very strict set)
920274 Invalid character in request headers (outside of very strict set)
920280 Request Missing a Host Header
920290 Empty Host Header
920300 Request Missing an Accept Header
920310 Request Has an Empty Accept Header
920311 Request Has an Empty Accept Header
920320 Missing User Agent Header
920330 Empty User Agent Header
920340 Request Containing Content, but Missing Content-Type header
920341 Request containing content requires Content-Type header
920350 Host header is a numeric IP address
920420 Request content type is not allowed by policy
920430 HTTP protocol version is not allowed by policy
920440 URL file extension is restricted by policy
920450 HTTP header is restricted by policy (%{MATCHED_VAR})
920460 Abnormal Escape Characters
920470 Illegal Content-Type header
920480 Restrict charset parameter within the content-type header

REQUEST-921-PROTOCOL-ATTACK

RuleId Description
921110 HTTP Request Smuggling Attack
921120 HTTP Response Splitting Attack
921130 HTTP Response Splitting Attack
921140 HTTP Header Injection Attack via headers
921150 HTTP Header Injection Attack via payload (CR/LF detected)
921151 HTTP Header Injection Attack via payload (CR/LF detected)
921160 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921170 HTTP Parameter Pollution
921180 HTTP Parameter Pollution (%{TX.1})

REQUEST-930-APPLICATION-ATTACK-LFI

RuleId Description
930100 Path Traversal Attack (/../)
930110 Path Traversal Attack (/../)
930120 OS File Access Attempt
930130 Restricted File Access Attempt

REQUEST-931-APPLICATION-ATTACK-RFI

RuleId Description
931100 Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110 Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120 Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

REQUEST-932-APPLICATION-ATTACK-RCE

RuleId Description
932100 Remote Command Execution: Unix Command Injection
932105 Remote Command Execution: Unix Command Injection
932106 Remote Command Execution: Unix Command Injection
932110 Remote Command Execution: Windows Command Injection
932115 Remote Command Execution: Windows Command Injection
932120 Remote Command Execution: Windows PowerShell Command Found
932130 Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) or Text4Shell (CVE-2022-42889) Found
932140 Remote Command Execution: Windows FOR/IF Command Found
932150 Remote Command Execution: Direct Unix Command Execution
932160 Remote Command Execution: Unix Shell Code Found
932170 Remote Command Execution: Shellshock (CVE-2014-6271)
932171 Remote Command Execution: Shellshock (CVE-2014-6271)
932180 Restricted File Upload Attempt
932190 Remote Command Execution: Wildcard bypass technique attempt

REQUEST-933-APPLICATION-ATTACK-PHP

RuleId Description
933100 PHP Injection Attack: Opening/Closing Tag Found
933110 PHP Injection Attack: PHP Script File Upload Found
933111 PHP Injection Attack: PHP Script File Upload Found
933120 PHP Injection Attack: Configuration Directive Found
933130 PHP Injection Attack: Variables Found
933131 PHP Injection Attack: Variables Found
933140 PHP Injection Attack: I/O Stream Found
933150 PHP Injection Attack: High-Risk PHP Function Name Found
933151 PHP Injection Attack: Medium-Risk PHP Function Name Found
933160 PHP Injection Attack: High-Risk PHP Function Call Found
933161 PHP Injection Attack: Low-Value PHP Function Call Found
933170 PHP Injection Attack: Serialized Object Injection
933180 PHP Injection Attack: Variable Function Call Found
933190 PHP Injection Attack: PHP Closing Tag Found
933200 PHP Injection Attack: Wrapper scheme detected
933210 PHP Injection Attack: Variable Function Call Found

REQUEST-941-APPLICATION-ATTACK-XSS

RuleId Description
941100 XSS Attack Detected via libinjection
941101 XSS Attack Detected via libinjection.
This rule detects requests with a Referer header.
941110 XSS Filter - Category 1: Script Tag Vector
941120 XSS Filter - Category 2: Event Handler Vector
941130 XSS Filter - Category 3: Attribute Vector
941140 XSS Filter - Category 4: JavaScript URI Vector
941150 XSS Filter - Category 5: Disallowed HTML Attributes
941160 NoScript XSS InjectionChecker: HTML Injection
941170 NoScript XSS InjectionChecker: Attribute Injection
941180 Node-Validator Blacklist Keywords
941190 XSS Using style sheets
941200 XSS using VML frames
941210 XSS using obfuscated JavaScript or Text4Shell (CVE-2022-42889)
941220 XSS using obfuscated VB Script
941230 XSS using 'embed' tag
941240 XSS using 'import' or 'implementation' attribute
941250 IE XSS Filters - Attack Detected.
941260 XSS using 'meta' tag
941270 XSS using 'link' href
941280 XSS using 'base' tag
941290 XSS using 'applet' tag
941300 XSS using 'object' tag
941310 US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941320 Possible XSS Attack Detected - HTML Tag Handler
941330 IE XSS Filters - Attack Detected.
941340 IE XSS Filters - Attack Detected.
941350 UTF-7 Encoding IE XSS - Attack Detected.
941360 JavaScript obfuscation detected.

REQUEST-942-APPLICATION-ATTACK-SQLI

RuleId Description
942100 SQL Injection Attack Detected via libinjection
942110 SQL Injection Attack: Common Injection Testing Detected
942120 SQL Injection Attack: SQL Operator Detected
942130 SQL Injection Attack: SQL Tautology Detected.
942140 SQL Injection Attack: Common DB Names Detected
942150 SQL Injection Attack
942160 Detects blind sqli tests using sleep() or benchmark().
942170 Detects SQL benchmark and sleep injection attempts including conditional queries
942180 Detects basic SQL authentication bypass attempts 1/3
942190 Detects MSSQL code execution and information gathering attempts
942200 Detects MySQL comment-/space-obfuscated injections and backtick termination
942210 Detects chained SQL injection attempts 1/2
942220 Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash
942230 Detects conditional SQL injection attempts
942240 Detects MySQL charset switch and MSSQL DoS attempts
942250 Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942251 Detects HAVING injections
942260 Detects basic SQL authentication bypass attempts 2/3
942270 Looking for basic sql injection. Common attack string for mysql, oracle and others.
942280 Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290 Finds basic MongoDB SQL injection attempts
942300 Detects MySQL comments, conditions and ch(a)r injections
942310 Detects chained SQL injection attempts 2/2
942320 Detects MySQL and PostgreSQL stored procedure/function injections
942330 Detects classic SQL injection probings 1/2
942340 Detects basic SQL authentication bypass attempts 3/3
942350 Detects MySQL UDF injection and other data/structure manipulation attempts
942360 Detects concatenated basic SQL injection and SQLLFI attempts
942361 Detects basic SQL injection based on keyword alter or union
942370 Detects classic SQL injection probings 2/2
942380 SQL Injection Attack
942390 SQL Injection Attack
942400 SQL Injection Attack
942410 SQL Injection Attack
942420 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942421 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
942430 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942431 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942432 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
942440 SQL Comment Sequence Detected.
942450 SQL Hex Encoding Identified
942460 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
942470 SQL Injection Attack
942480 SQL Injection Attack
942490 Detects classic SQL injection probings 3/3
942500 MySQL in-line comment detected.

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

RuleId Description
943100 Possible Session Fixation Attack: Setting Cookie Values in HTML
943110 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120 Possible Session Fixation Attack: SessionID Parameter Name with No Referer

REQUEST-944-APPLICATION-ATTACK-JAVA

RuleId Description
944100 Remote Command Execution: Apache Struts, Oracle WebLogic
944110 Detects potential payload execution
944120 Possible payload execution and remote command execution
944130 Suspicious Java classes
944200 Exploitation of Java deserialization Apache Commons
944210 Possible use of Java serialization
944240 Remote Command Execution: Java serialization
944250 Remote Command Execution: Suspicious Java method detected
944300 Base64 encoded string matched suspicious keyword

Next steps