Azure Web Application Firewall
An Azure service that provides protection for web apps.
347 questions
Repetitive GET request qurey in requestUri_s field of ApplicationGatewayFirewallLog
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 20%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Kit Shing Kwong
5
Reputation points
Hi,
I am currently facing a strage behavior with Azure Application Gateway and WAF.
We have a web application running in AKS connected to Application Gateway connected with AGIC. The application serves 2 hosts, let's say HostA and HostB. We found that the GET request query get double in requestUri_s field of ApplicationGatewayFirewallLog, but in ApplicationGatewayAccessLog looks fine. Such behavior occurs only for HostA, but not HostB.
for example, for a GET request HostA?id=1, requestUri_s of ApplicationGatewayFirewallLog will be HostA?id=1?id=1
In some particular cases, this triggers 941100 XSS Attack Detected via libinjection. For example, the GET request HostA?x=Oni. In ApplicationGatewayFirewallLog, requestUri_s of ApplicationGatewayFirewallLog is /?x=Oni?x=Oni and detail_data_s is {Oni?x=Oni found within [ARGS:x:Oni?x=Oni]}
We have been debugging the issue for days and still have no idea what is the cause. There is no rewrite rules on incoming uri. I think it is unlikely caused by the application. The cause we could think of is that there is bug in WAF or AGIC. Any idea what could be the cause?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 5,085 Reputation points Microsoft External Staff17 Mar 2025, 10:41 Hello Kit Shing Kwong
I understand that you enabled WAF on the application gateway, and the 941100 rule is blocking some requests.
941100 is one of the OWASP default rules in the WAF. If any default rule is triggered, it will automatically block the request.
If any default rules are triggering, you need to validate severity of the RuleID please refer the below docs.
Refer: https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.2/dev/rules
Which is mean, request is getting matched at ARGS, so that 941100 rule is triggered.
To mitigate these, you would have to check with your application team to understand the ways to mitigate it.
If not, then you can configure WAF exclusions.
To configure WAF exclusions please follow the below steps: sample for rule ID 941100
1.Navigate to managed rules in the WAF policy from portal
2.Click on add exclusion
3.Add rule ID and select it
4.write and exclusion with details that the match variable: arg value, operator: contains and selector:q
This way you can add exclusion.
Please refer to the reference screenshot for exclusion below.
In the same manner, you need to write exclusions for the rule ID.
This article provides information on Web Application Firewall exclusion lists configuration in Application Gateway with the Azure portal.
Use the exclusion list or you can Disable the rule.
Can you please update us if the action plan provided by was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
-
Kit Shing Kwong 5 Reputation points
17 Mar 2025, 13:37 Thanks for your response.
But it did not answer the question.
-
Ganesh Patapati 5,085 Reputation points Microsoft External Staff
17 Mar 2025, 13:44 Hello Kit Shing Kwong
I Initiated a private message where we can connect offline and resolve your query.
-
Ganesh Patapati 5,085 Reputation points Microsoft External Staff
17 Mar 2025, 16:56 Hello Kit Shing Kwong
I would request you to perform the below action plan to isolate the issue.
- Could you please verify if the Application Gateway's HTTP Settings include an Override backend path with the original query string.This might cause the query string to be appended twice when forwarding to the backend.
- Switch the WAF to detection mode and check if the same behavior occurs.
- Replicate the same application configuration for Host A from Host B, as Host B works without duplication. The issue might be at the application level with redirects or rewrites to the query strings.
- If possible, test from another VM in the same VNET where AGIC Host A resides and access it internally to determine if the Application Gateway with WAF is causing the issue.
- Share your Application Gateway access logs and WAF logs for both working and non-working scenarios via private messages so we can identify the issue.
Can you please update us if the action plan provided by was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
-
Ganesh Patapati 5,085 Reputation points Microsoft External Staff
18 Mar 2025, 08:50 Hello Kit Shing Kwong
Can you please update us if the action plan provided by was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
-
Kit Shing Kwong 5 Reputation points
18 Mar 2025, 10:33 Hi,
Thanks for your advice.
It seems the cause is the 'Override backend path' setting. We have HostA set 'Override backend path' to '/'. While HostB set to empty.
We also tested that after setting 'Override backend path' of HostA to empty. The duplication problem has gone.
We use appgw.ingress.kubernetes.io/backend-path-prefix in the k8s ingress for the setting.
However, we cannot set it to empty as we need this rewrite, for example, the request to 'HostA/api/*' has to rewrite to '/' to the backend.
-
Ganesh Patapati 5,085 Reputation points Microsoft External Staff
18 Mar 2025, 11:18 Hello Kit Shing Kwong
Thanks for the reply!
For further troubleshooting, could you please share your email ID via Private messages so we can connect privately over a call to resolve the issue. Also, could you please share your available times for scheduling the Teams call?
-
Ganesh Patapati 5,085 Reputation points Microsoft External Staff
18 Mar 2025, 17:42 However, we cannot set it to empty as we need this rewrite, for example, the request to 'HostA/api/*' has to rewrite to '/' to the backend.
Have you tried HTTP rewrite headers on application gateway to achieve this.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url
Can you please update us if the action plan provided by was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
-
Kit Shing Kwong 5 Reputation points
19 Mar 2025, 07:29 I would prefer to solve it with the backend setting rather than setting up rewrite rules.
But is it expected that setting 'Override backend path' to '/' will double the get request query? If it is expected, then I think it is a bug in WAF.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Venkat V 1,080 Reputation points Microsoft External Staff19 Mar 2025, 07:32 Hi @Kit Shing Kwong
The Application Gateway's WAF is detecting the URI duplication and triggering an alert because it looks suspicious (repeated query parameters).
As a workaround, set Override backend path to empty instead of 'HostA/api/* and use appgw.ingress.kubernetes.io/backend-path-prefix
The
appgw.ingress.kubernetes.io/backend-path-prefixannotation will rewrite the path from/api/*to/before it is forwarded to the backend.No
Override backend path** setting in App Gateway for HostA
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hosta-ingress annotations: kubernetes.io/ingress.class: azure/application-gateway appgw.ingress.kubernetes.io/backend-path-prefix: "/" spec: rules: - host: hosta.example.com http: paths: - path: /api/* pathType: Prefix backend: service: name: hosta-backend port: number: 80The above configuration tells Application Gateway to rewrite any path starting with
/api/*to/.For example, a request to
HostA/api/foo?id=1will be rewritten to/foo?id=1.Reference: Backend Path Prefix
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-urlI hope this helps to resolve your query.
If the above is unclear and/or you are unsure about something, add a comment below.
-
Kit Shing Kwong 5 Reputation points
19 Mar 2025, 13:59 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hosta-ingress annotations: kubernetes.io/ingress.class: azure/application-gateway appgw.ingress.kubernetes.io/backend-path-prefix: "/" spec: rules: - host: hosta.example.com http: paths: - path: /api/* pathType: Prefix backend: service: name: hosta-backend port: number: 80Basically we have the same ingress configuration and we are on the same page regarding the use of backend-path-prefix. But unfortunatly in our case the request to
HostA/api/foo?id=1is rewritten to/foo?id=1?id=1 -
Venkat V 1,080 Reputation points Microsoft External Staff
20 Mar 2025, 10:13 Thanks for your reply
Can you please confirm whether you are adding any value in the override backend path? If you have added a path configuration in the Ingress YAML file, make sure the Override backend path in the Application Gateway is empty.
-
Kit Shing Kwong 5 Reputation points
20 Mar 2025, 10:26 Hi,
All the backend setting is done by ingress yml file and thus AGIC. We do not have any manual setup.
From what I observed, the 'override backend path' is updated according to the "appgw.ingress.kubernetes.io/backend-path-prefix" value in the yml file, right?
-
Venkat V 1,080 Reputation points Microsoft External Staff
20 Mar 2025, 15:27 Hi @Kit Shing Kwong
Yes, add the backend path value in the yaml file to rewrite to another path, and set the override backend path value to empty in Application Gateway.
I also requested some details in the private chat for further troubleshooting. Can you please provide the required information there?
-
Venkat V 1,080 Reputation points Microsoft External Staff
22 Mar 2025, 04:12 Hi @Kit Shing Kwong
I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.
-
Venkat V 1,080 Reputation points Microsoft External Staff
24 Mar 2025, 05:43 I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Sign in to comment
Sign in to answer