Hello @Steve Wardell ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know why Azure WAF blocks WebResource.axd / ScriptResource.axd.
Azure Web Application gateway (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9.
Azure WAF CRS/DRS rule group REQUEST-920-PROTOCOL-ENFORCEMENT
contains the below rule, which is defined in OWASP core rule sets 3.2, 3.1, 3.0:
920440 - URL file extension is restricted by policy
You can see the OWASP CRS rule id "920440" description as below:
# Restrict file extension
#
SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
"id:920440,\
phase:1,\
block,\
capture,\
t:none,\
msg:'URL file extension is restricted by policy',\
logdata:'%{TX.0}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
"t:none,t:urlDecodeUni,t:lowercase,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-drs?tabs=drs21
I checked with the Azure WAF Product Group team, and they confirmed that extensions are blocked by design. WAF blocks those extensions since they might be capable of performing "PadBuster" attacks.
There are only two ways to avoid this:
- Disable Rule 920440 and allow all extensions.
- Create a custom rule to allow the extensions that will override the managed rule.
NOTE: When both custom rules & managed rules are present, custom rules are processed before processing the rules in a managed rule set.
Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.