Why does WAF block WebResource.axd / ScriptResource.axd?

Question

In rule Microsoft_DefaultRuleSet-2.1-PROTOCOL-ENFORCEMENT-920440, among other things, it blocks WebResource.axd and ScriptResource.axd. The blocks are probably due to CVE-2010-3332 which have long since been patched. Why does WAF still have this as a rule and/or how can I get around it? My application needs access to those URIs. I could add a custom rule for paths to those 2 axd to allow, but don't love that approach. Any other options besides disabling the rule entirely?

Answer 1

Hello @Steve Wardell ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know why Azure WAF blocks WebResource.axd / ScriptResource.axd.

Azure Web Application gateway (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9.

Azure WAF CRS/DRS rule group REQUEST-920-PROTOCOL-ENFORCEMENT contains the below rule, which is defined in OWASP core rule sets 3.2, 3.1, 3.0:

920440 - URL file extension is restricted by policy

You can see the OWASP CRS rule id "920440" description as below:

# Restrict file extension
#
SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
    "id:920440,\
    phase:1,\
    block,\
    capture,\
    t:none,\
    msg:'URL file extension is restricted by policy',\
    logdata:'%{TX.0}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/210/272',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/4.0.0-rc1',\
    severity:'CRITICAL',\
    setvar:'tx.extension=.%{tx.1}/',\
    chain"
    SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
        "t:none,t:urlDecodeUni,t:lowercase,\
        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-drs?tabs=drs21

https://github.com/coreruleset/coreruleset/blob/v4.0/dev/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L1063

I checked with the Azure WAF Product Group team, and they confirmed that extensions are blocked by design. WAF blocks those extensions since they might be capable of performing "PadBuster" attacks.

There are only two ways to avoid this:

1. Disable Rule 920440 and allow all extensions.
2. Create a custom rule to allow the extensions that will override the managed rule.

NOTE: When both custom rules & managed rules are present, custom rules are processed before processing the rules in a managed rule set.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

To workaround this issue I created a custom rules to disable all the other file types within the rule as regex

".asa[^a-zA-Z] .asax[^a-zA-Z] .ascx[^a-zA-Z] .backup[^a-zA-Z] .bak[^a-zA-Z] .bat[^a-zA-Z] .cdx[^a-zA-Z] .cer[^a-zA-Z] .cfg[^a-zA-Z] .cmd[^a-zA-Z] .com[^a-zA-Z] .config[^a-zA-Z] .conf[^a-zA-Z] .cs[^a-zA-Z] .csproj[^a-zA-Z] .csr[^a-zA-Z] .dat[^a-zA-Z] .db[^a-zA-Z].dbf[^a-zA-Z] .dll[^a-zA-Z] .dos[^a-zA-Z] .htr[^a-zA-Z] .htw[^a-zA-Z] .ida[^a-zA-Z] .idc[^a-zA-Z] .idq[^a-zA-Z] .inc[^a-zA-Z] .ini[^a-zA-Z] .key[^a-zA-Z] .licx[^a-zA-Z] .lnk[^a-zA-Z] .log[^a-zA-Z] .mdb[^a-zA-Z] .old[^a-zA-Z] .pass[^a-zA-Z] .pdb[^a-zA-Z] .pol[^a-zA-Z] .printer[^a-zA-Z] .pwd[^a-zA-Z].rdb[^a-zA-Z] .resources[^a-zA-Z] .resx[^a-zA-Z] .sql[^a-zA-Z] .swp[^a-zA-Z] .sys[^a-zA-Z] .vb[^a-zA-Z] .vbs[^a-zA-Z] .vbproj[^a-zA-Z] .vsdisco[^a-zA-Z] .webinfo[^a-zA-Z] .xsd[^a-zA-Z] .xsx[^a-zA-Z]"

Plus rules that match the extensions with operator "ends with" then .asa .asax .ascx etc

Then disable the Rule 920440