Share via

Confuse in Azure WAF behavior with different browsers

Mohsen Akhavan 936 Reputation points
2023-12-20T23:28:57.28+00:00

Hello,

I have an Azure Application gateway (WAF) that prevention mode is enabled and the OWASP 3 and the Microsoft Bot rule are activate.
I checked my web application with chrome and refresh and sent many requests with Chrome. Now I received 403 Forbidden. I checked the logs the reason is: 

requestUri_s: /auth/login
requestUri_s: /favicon.ico
Message: SQL Comment Sequence Detected.
ruleId: 942440

But when I open my web application with Edge, it's work well. (Same system and same IP)
1. What's the reason?

2.How to fix?

If I disable this role, there are risks.
If I trust my IP, I couldn't check and QA my web app.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
982 questions
Azure Web Application Firewall
Accepted answer
  1. KapilAnanth-MSFT 37,786 Reputation points Microsoft Employee
    2023-12-22T11:41:16.7933333+00:00

    @Mohsen Akhavan

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I see you are using OWASP 3.0 RuleSet with Microsoft BotRule.

    From what I can see, you have to tune your WAF by disabling the rule only. This looks like this rule is prone to false positives.

    See here (from AFD WAF document)

    User's image

    Should you feel that a rule is blocking legitimate request(false positives), you can

    1. Disable the Rule : See Tuning of Managed rule sets
    2. or Create Exclusions : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal
    3. or Create a custom rule : Custom rules for Web Application Firewall

    to overcome this.

    Please refer to the Official OWASP Rule definition,

    REQUEST-942-APPLICATION-ATTACK-SQLI.conf : https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

    The Microsoft Threat Intelligence Collection rules would cover this with the Rule 99031002.

    User's image

    Cheers,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest