「A potentially dangerous Request.Form value was detected from the client」

真川崎 196

I am building a web server in Azure with a configuration of CDN - WAF - WebApps.

This is a .Net Framework web application.

Because requestValidationMode="4.0"

"A potentially dangerous Request.Form value was detected from the client"

This error blocks invalid Form data.

I have no problem with you blocking me,

I would like to block it with Firewall before it reaches WebApps.

The reason is to reduce the load by not having the server process unnecessary requests.

Application Gateway WAF policy custom rules

"A potentially dangerous Request.Form value was detected from the client"

Is it possible to set a block similar to the blocking condition?

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-18T06:55:35.0033333+00:00
@真川崎

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

May I ask where did you see/log the error "A potentially dangerous Request.Form value was detected from the client" ?

Was it from Web Apps?

Or from WAF?

AFAIK WAF for CDN is only provided at a limited preview

Can you please confirm if you are using AFD or CDN and what is the SKU?

Also, I see you have mentioned "Application gateway"

Can you please share your complete network architecture diagram?

Cheers,

Kapil
真川崎 196 Reputation points

2023-10-18T23:50:11.26+00:00

Mr. Kapil

thank you.

Was it from Web Apps?

Or from WAF?

It is recorded in the application log output to Web Apps.

I'm using a CDN. AFD is not used.

The configuration is CDN (Microsoft CDN [Classic]) → Application Gateway (Waf_v2) & WAF Policy → WebApps.

I think it would be good if it could be blocked using a custom rule in WAF Policy, since it would be possible to block it without it reaching WebApps.
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-19T06:53:01.2866667+00:00
@真川崎

Thanks for letting us know.

I see that you would like to leverage Application Gateway WAF to block this request.

Can you please share the platform error log from the App Service as a screenshot?

Or was this log generated inside your application

Can you confirm if the WAF is in "Prevention" mode and not in "Detection" mode.

Once WAF is enabled,

The default Managed rules should block malicious requests.

Refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21

In case it is not, then you should make use of Custom rules.

You should tailor the Custom Rule according to your application.

Cheers,

Kapil

真川崎 196

Can you please share the platform error log from the App Service as a screenshot?

The log is below.This log generated inside application.

This is an application using .Net. Some class names are masked for security.

Exception: System.Web.HttpRequestValidationException
Message: A potentially dangerous Request.Form value was detected from the client (guideState=\"...fillXml\":\"<afData>\\u0041\\u0042...\").
Source: System.Web
   at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.get_Form()
   at XXX.Support.Pipelines.PreprocessRequest.RequestBodyFilter.Process(PreprocessRequestArgs args)
   at (Object , Object )
   at XXX.Pipelines.CorePipeline.Run(PipelineArgs args)
   at XXX.Pipelines.DefaultCorePipelineManager.Run(String pipelineName, PipelineArgs args, String pipelineDomain, Boolean failIfNotExists)
   at XXX.Pipelines.DefaultCorePipelineManager.Run(String pipelineName, PipelineArgs args, String pipelineDomain)
   at XXX.Web.RequestEventsHandler.OnBeginRequest(HttpContextBase context)
   at XXX.Nexus.Web.HttpModule.HttpApplication_BeginRequest(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)"}

WAF is in prevention mode.

The rule set is OWASP 3.0.

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-20T04:08:10.58+00:00
@真川崎

If the log is generated inside application, then we cannot be sure if it is a platform vulnerability or the application logic/language/implementation vulnerability.

Here is a list of Managed Rules for OWASP 3.0 : https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21#owasp-crs-30

If the WAF is in prevention mode and no rule is triggered, then you must use Custom Rules

Again, you must tune your WAF according to your application/use case/requirement
i.e., please check the application as to why this error is generated and tailor the Custom Rules to block such requests.

Refer : Tune your WAF

Should you require further help in investigating why the error is triggered in your application and how to prevent it from Platform, I would suggest you file a support ticket where a support engineer can have a specialized 1:1 session to pinpoint the issue.

In case you need a one-time free technical support, please do let us know, we will try and help you get a one-time free technical support.

Cheers,

Kapil
真川崎 196 Reputation points

2023-10-20T04:32:01.7833333+00:00

Mr. Kapil

thank you.

i.e., please check the application as to why this error is generated and tailor the Custom Rules to block such requests.

「A potentially dangerous Request.Form value was detected from」

I understand that this error is thrown when the From data of the request contains a string that is determined to be invalid, such as "<".

Therefore, I would like a sample of a custom rule that evaluates the From data of a request.

Do you have any tips?
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-20T04:57:40.65+00:00
@真川崎

You should consider "Match variable"

And within it, you can use "RequestBody"

And set the "Operator" as "Contains" and specify the string value which you would like to block.

And set "Action" as Block or Log

Cheers,

Kapil
真川崎 196 Reputation points

2023-10-20T05:22:14.1066667+00:00

I wrote the same comment so I'll delete it
真川崎 196 Reputation points

2023-10-20T05:24:31.22+00:00

Mr. Kapil

thank you.

Judgment conditions for custom rules

"A potentially dangerous Request.Form value was detected from"

I would like to match the conditions checked in as much as possible.

Do you know under what conditions the judgment is made?

For example, if it contains "<", it is blocked, but I would like to know if there are any other characters or conditions that are checked.

And within it, you can use "RequestBody"

There is also an item called PostArgs in Match variable, but is this not available?
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-23T05:47:51.7666667+00:00

@真川崎

Since the application (and not platform) is blocking the request, I am afraid I am not aware of the exact conditions used by the application to block the request.

Should you require a detailed analysis, I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Cheers,

Kapil
真川崎 196 Reputation points

2023-10-23T08:00:11.3266667+00:00

Mr. Kapil

thank you.got it.
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-23T08:18:40.92+00:00

@真川崎

You are most welcome.

I have summarized my comments and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-25T05:17:11.9266667+00:00

@真川崎

Just checking in to see if you got a chance to "Accept the answer" and close this thread.

This might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-10-23T08:18:01.36+00:00
@真川崎

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

You were loggin the error "A potentially dangerous Request.Form value was detected from the client" within your application.

And you would like to know the best practices for mitigating this.

Since the logs are from the application, the Platform does not much visibility onto it.

The Manged Rules should detect the issue if this can be remediated via Platform.

Here is a list of Managed Rules for OWASP 3.0 : https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21#owasp-crs-30

If the WAF is in Detetcion mode, I suggested you to enable prevention mode.

In case the WAF is in prevention mode and no rule is triggered, then you must use Custom Rules

You must tune your WAF according to your application/use case/requirement
i.e., please check the application as to why this error is generated and tailor the Custom Rules to block such requests.

Refer : Tune your WAF

One such example is,

You can consider "Match variable"

And within it, you can use "RequestBody"

And set the "Operator" as "Contains" and specify the string value which you would like to block.

And set "Action" as Block or Log

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

「A potentially dangerous Request.Form value was detected from the client」

0 additional answers

Your answer