Web application firewall CRS rule groups and rules

Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.0 or 2.2.9. These rules can be disabled on a rule by rule basis. This article contains the current rules and rulesets offered.

The following rule groups and rules are available when using Application Gateway with web application firewall.

Rule sets

General

RuleId Description
200004 Possible Multipart Unmatched Boundary.

REQUEST-911-METHOD-ENFORCEMENT

RuleId Description
911100 Method is not allowed by policy

REQUEST-913-SCANNER-DETECTION

RuleId Description
913100 Found User-Agent associated with security scanner
913110 Found request header associated with security scanner
913120 Found request filename/argument associated with security scanner
913101 Found User-Agent associated with scripting/generic HTTP client
913102 Found User-Agent associated with web crawler/bot

REQUEST-920-PROTOCOL-ENFORCEMENT

RuleId Description
920100 Invalid HTTP Request Line
920130 Failed to parse request body.
920140 Multipart request body failed strict validation
920160 Content-Length HTTP header is not numeric.
920170 GET or HEAD Request with Body Content.
920180 POST request missing Content-Length Header.
920190 Range = Invalid Last Byte Value.
920210 Multiple/Conflicting Connection Header Data Found.
920220 URL Encoding Abuse Attack Attempt
920240 URL Encoding Abuse Attack Attempt
920250 UTF8 Encoding Abuse Attack Attempt
920260 Unicode Full/Half Width Abuse Attack Attempt
920270 Invalid character in request (null character)
920280 Request Missing a Host Header
920290 Empty Host Header
920310 Request Has an Empty Accept Header
920311 Request Has an Empty Accept Header
920330 Empty User Agent Header
920340 Request Containing Content but Missing Content-Type header
920350 Host header is a numeric IP address
920380 Too many arguments in request
920360 Argument name too long
920370 Argument value too long
920390 Total arguments size exceeded
920400 Uploaded file size too large
920410 Total uploaded files size too large
920420 Request content type is not allowed by policy
920430 HTTP protocol version is not allowed by policy
920440 URL file extension is restricted by policy
920450 HTTP header is restricted by policy (%@{MATCHED_VAR})
920200 Range = Too many fields (6 or more)
920201 Range = Too many fields for pdf request (35 or more)
920230 Multiple URL Encoding Detected
920300 Request Missing an Accept Header
920271 Invalid character in request (non printable characters)
920320 Missing User Agent Header
920272 Invalid character in request (outside of printable chars below ascii 127)
920202 Range = Too many fields for pdf request (6 or more)
920273 Invalid character in request (outside of very strict set)
920274 Invalid character in request headers (outside of very strict set)
920460 Abnormal escape characters

REQUEST-921-PROTOCOL-ATTACK

RuleId Description
921100 HTTP Request Smuggling Attack.
921110 HTTP Request Smuggling Attack
921120 HTTP Response Splitting Attack
921130 HTTP Response Splitting Attack
921140 HTTP Header Injection Attack via headers
921150 HTTP Header Injection Attack via payload (CR/LF detected)
921160 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921151 HTTP Header Injection Attack via payload (CR/LF detected)
921170 HTTP Parameter Pollution
921180 HTTP Parameter Pollution (%@{TX.1})

REQUEST-930-APPLICATION-ATTACK-LFI

RuleId Description
930100 Path Traversal Attack (/../)
930110 Path Traversal Attack (/../)
930120 OS File Access Attempt
930130 Restricted File Access Attempt

REQUEST-931-APPLICATION-ATTACK-RFI

RuleId Description
931100 Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address
931110 Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload
931120 Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?)
931130 Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link

REQUEST-932-APPLICATION-ATTACK-RCE

RuleId Description
932120 Remote Command Execution = Windows PowerShell Command Found
932130 Remote Command Execution = Unix Shell Expression Found
932140 Remote Command Execution = Windows FOR/IF Command Found
932160 Remote Command Execution = Unix Shell Code Found
932170 Remote Command Execution = Shellshock (CVE-2014-6271)
932171 Remote Command Execution = Shellshock (CVE-2014-6271)

REQUEST-933-APPLICATION-ATTACK-PHP

RuleId Description
933100 PHP Injection Attack = Opening/Closing Tag Found
933110 PHP Injection Attack = PHP Script File Upload Found
933120 PHP Injection Attack = Configuration Directive Found
933130 PHP Injection Attack = Variables Found
933150 PHP Injection Attack = High-Risk PHP Function Name Found
933160 PHP Injection Attack = High-Risk PHP Function Call Found
933180 PHP Injection Attack = Variable Function Call Found
933151 PHP Injection Attack = Medium-Risk PHP Function Name Found
933131 PHP Injection Attack = Variables Found
933161 PHP Injection Attack = Low-Value PHP Function Call Found
933111 PHP Injection Attack = PHP Script File Upload Found

REQUEST-941-APPLICATION-ATTACK-XSS

RuleId Description
941100 XSS Attack Detected via libinjection
941110 XSS Filter - Category 1 = Script Tag Vector
941130 XSS Filter - Category 3 = Attribute Vector
941140 XSS Filter - Category 4 = Javascript URI Vector
941150 XSS Filter - Category 5 = Disallowed HTML Attributes
941180 Node-Validator Blacklist Keywords
941190 XSS using style sheets
941200 XSS using VML frames
941210 XSS using obfuscated Javascript
941220 XSS using obfuscated VB Script
941230 XSS using 'embed' tag
941240 XSS using 'import' or 'implementation' attribute
941260 XSS using 'meta' tag
941270 XSS using 'link' href
941280 XSS using 'base' tag
941290 XSS using 'applet' tag
941300 XSS using 'object' tag
941310 US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941330 IE XSS Filters - Attack Detected.
941340 IE XSS Filters - Attack Detected.
941350 UTF-7 Encoding IE XSS - Attack Detected.
941320 Possible XSS Attack Detected - HTML Tag Handler

REQUEST-942-APPLICATION-ATTACK-SQLI

RuleId Description
942100 SQL Injection Attack Detected via libinjection
942110 SQL Injection Attack: Common Injection Testing Detected
942130 SQL Injection Attack: SQL Tautology Detected.
942140 SQL Injection Attack = Common DB Names Detected
942160 Detects blind sqli tests using sleep() or benchmark().
942170 Detects SQL benchmark and sleep injection attempts including conditional queries
942190 Detects MSSQL code execution and information gathering attempts
942200 Detects MySQL comment-/space-obfuscated injections and backtick termination
942230 Detects conditional SQL injection attempts
942260 Detects basic SQL authentication bypass attempts 2/3
942270 Looking for basic sql injection. Common attack string for mysql oracle and others.
942290 Finds basic MongoDB SQL injection attempts
942300 Detects MySQL comments, conditions and ch(a)r injections
942310 Detects chained SQL injection attempts 2/2
942320 Detects MySQL and PostgreSQL stored procedure/function injections
942330 Detects classic SQL injection probings 1/2
942340 Detects basic SQL authentication bypass attempts 3/3
942350 Detects MySQL UDF injection and other data/structure manipulation attempts
942360 Detects concatenated basic SQL injection and SQLLFI attempts
942370 Detects classic SQL injection probings 2/2
942150 SQL Injection Attack
942410 SQL Injection Attack
942430 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 SQL Comment Sequence Detected.
942450 SQL Hex Encoding Identified
942251 Detects HAVING injections
942460 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

RuleId Description
943100 Possible Session Fixation Attack = Setting Cookie Values in HTML
943110 Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer
943120 Possible Session Fixation Attack = SessionID Parameter Name with No Referrer

Next steps

Learn how to disable WAF rules: Customize WAF rules