Azure WAF Sensitive data scrubbing and InitialBodyContents match

Smock 0

We have requests that have application/x-www-form-urlencoded body contents which trigger false positives for the WAF rule "URL Encoding Abuse Attack Attempt" matching on the variable InitialBodyContents .
Annoyingly part of the match contains sensitive data that we do not want logged.

It seems you cannot add exclusions on InitialBodyContents, also it seems the "Senstive Data" WAF feature also cannot use InitialBodyContents as one of its variables to scrub.

The only options seems to be to disable the rule entirely - is there some way to scrub InitialBodyContents so sensitive data is not logged?

TBH this particular rule seems a bit over-zealous and I can just turn it off, but it also concerns me that this could happen with other rules and there doesn't seem to be a way to scrub information if the matched value is InitialBodyContents.

KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2024-06-17T16:56:18.9266667+00:00
@Smock ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

It seems like you are hitting the same issue mentioned here.

With respect to WAF sensitive data (preview)

If I am not wrong, "InitialBodyContents" should come under "Request Post Arg Names"

Can you try using the logic and check if the data gets removed?

Unfortunately, I cannot do a lab repo as I cannot replicate the request.

I shall also check internally if there was any change wrt AFD WAF Exclusions to support "InitialBodyContents"

Cheers,

Kapil
KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2024-06-18T14:22:54.6066667+00:00

@Smock ,

Did you get a chance to check my last comment?

I would appreciate if you could share the exact log message as seen in WAF Logs you see so I can understand what variable exactly is matching.

Cheers,

Kapil

Share via

Azure WAF Sensitive data scrubbing and InitialBodyContents match