Azure WAF "rule 934100" is blocking ad code on Azure VM / WordPress, I do not have WAF installed, how to fix?

Kip Kniskern 30 Reputation points
2023-09-28T14:05:12.3033333+00:00

I have a single Azure VM running Ubuntu 22.04 set up to run my WordPress website. Nginx, MySQL, PHP are all self contained on the server.

Recently I tried to update a WordPress hook (via GeneratePress) including some ad code containing "function () {..." - Although I was able to create the Element (hook) some time ago with no issues, now I am unable to update it, the page flashes white and I'm shown a "rule 934100 - reason Node.js Injection Attack Matched Data: function () { found within args ...." error. This is a WAF error https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21

But I do not have WAF or any firewall installed on the service. This error was not present previously, as I was able to create the element with no issues. Now however I can't.

Is this coming from the Microsoft Defender for Cloud? How can I remove this rule or whatever is preventing me from updating my site?

Azure Web Application Firewall
Accepted answer
  1. GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
    2023-10-04T14:20:53.1366667+00:00

    Hello @Kip Kniskern ,

    I understand you've a single Azure VM running Ubuntu 22.04 set up to run your WordPress website and when you try to update a WordPress hook including some ad code, you were getting the following error: "rule 934100 - reason Node.js Injection Attack Matched Data: function () { found within args ....".

    I've seen such issues in the past when the Azure VM is behind an Application gateway.

    Refer: https://video2.skills-academy.com/en-us/answers/questions/1145320/wordpress-save-actions-blocked-in-azure-waf

    However, you mentioned that you are not using an Application Gateway or Front Door or Azure WAF.

    But you run your site through Cloudflare, where you have a WAF enabled.

    Azure WAF is based on OWASP rulesets (open source). If you look at the OWASP ruleset, you will find this rule 934100.

    Refer: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf#L46

    I did a bit of research and found that Cloudflare also uses OWASP rulesets. And I also found some issues where Cloudflare blocks some requests on WordPress. So, I advised you to check your Cloudflare WAF settings.

    You checked your Cloudflare settings and confirmed that you've the Managed Rules OWASP Ruleset turned off and you also checked the server (Ubuntu 22.04) where the firewall is inactive and there's no modsecurity installed.

    You found a post regarding Defender for APIs which comes along Microsoft Defender for Cloud and you wanted to know if that is somehow causing issues as Microsoft Defender for Cloud is partially enabled for your subscription and is enabled for the VM.

    I read through the Microsoft Defender for APIs documentation and found that Defender for APIs discovers and analyzes REST APIs and shouldn't have any impact on your virtual machines.

    Later, you confirmed that you found the issue. It was neither Cloudflare nor Azure. You have WordPress Jetpack installed, and they recently introduced a new feature, a Web Application Firewall. When they introduced it, you enabled it, and this was causing issues. When you turned off the radio button enabling the Jetpack WAF, everything started working again.

    Thank you for sharing the resolution.

    Kindly let us know if you need further assistance on this issue.

    Please don’t forget to close the thread by clicking "Accept the answer", as this can be beneficial to other community members.

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kip Kniskern 30 Reputation points
    2023-10-04T12:52:17.9866667+00:00

    Thank you. I figured this out, and it was neither Cloudflare or Azure. We have WordPress Jetpack installed, and they recently (a month ago?) introduced a new feature, a Web Application Firewall. When they introduced it, I turned it on, thinking "can't hurt, right?" Anyway, after going through support ticket exchanges with both Azure and Cloudflare, I started digging into other possible culprits (we have no security plugins installed, WordFence etc), and there it was. I turned off the radio button enabling the Jetpack WAF, and everything immediately worked again.

    Thank you for your time on this, my apologies for having to chase this down. Hopefully the info will help someone in the future, at least.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.