Frontdoor WAF positives unclear

Owin Gruters - iO 46

I see out WAF firing on a simple text and I can’t figure out why the rules are triggering (see attached txt)

These are all very normal texts, without anything fishy. The only weird thing is that they seem incomplete sentences. But I see nothing that should trigger the rule.

Can you clarify?

ChaitanyaNaykodi-MSFT 25,841 Reputation points Microsoft Employee

2024-08-08T16:35:59.27+00:00

@Owin Gruters - iO

Thank you for reaching out.

Looks like the Txt attachment did not come through, can you try adding the attachment again?

If you are facing some issue adding the attachment, a screenshot of the content will help as well.

The recommended process to handle false positive is to set-up diagnostic logging and check the WAF logs for which rule triggered the block and what was the message. Depending on the information above you can apply an exclusion as documented here.

Thanks
Owin Gruters - iO 46 Reputation points

2024-08-12T10:12:54.43+00:00

query_data.txt

I think I forgot to press Add File. Can you see it now? @ChaitanyaNaykodi-MSFT

1 answer

ChaitanyaNaykodi-MSFT 25,841 Reputation points Microsoft Employee

2024-08-12T17:32:22.3133333+00:00

@Owin Gruters - iO

Thank you for getting back and I was able to view the txt file.

Based on the logs from the txt file the request is getting blocked due to the content present in JSON field values.uwReactie which triggered multiple rules (Rule 942410 & 99031001 detected SQL injection attack and Rule 941310 detected a Malformed Encoding XSS Filter)

This is how the rules are set-up in OWASP (example of 942410)

Getting false positive is pretty common when you enable Web Application Firewall and this is the approach recommended to prevent any legitimate traffic from being blocked.

The best approach here will be to apply an exclusion rule so that the content of the JSON field values.uwReactie is not evaluated by the WAF.

You can refer this example on how you can apply exclusion for JSON request bodies.

Create an exclusion with a match variable of Request body JSON args name, an operator of Contains, and a selector of values.uwReactie.

You can refer to my answer here on implementing this exclusion

Hope this helps! Please let me know if you have any additional questions. Thanks!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Owin Gruters - iO 46 Reputation points

2024-08-15T06:37:11.2133333+00:00

I understand that those rules were triggered for that JSON field, thats what the log states :)

My question is Why! In my view, there is nothing in the value of the field that should trigger either an SQL injection or a Malformed Encoding XSS Filter. It's a perfectly legit text.

I do not want to make an exclusion for this, because thare also might be true positives and I do not want to make the WAF weaker for no reason.

Regards

ChaitanyaNaykodi-MSFT 25,841 Reputation points Microsoft Employee

2024-08-15T17:04:24.8533333+00:00

@Owin Gruters - iO

The OWASP rule uses a regex pattern to match a rule. For Rule 942410 the regex pattern is used to detect any characters which can be used in SQL injection attack.

Although the text you are sending in the request is legit, but it can accidentally contain characters used for SQL injection attack which triggers the rule.

If you do not wish to apply an exclusion rule, the solution here is to stop sending such characters which triggered the rules. For most of the customers this is not possible hence we suggest applying an exclusion which is the next best thing.

Also, for an example, suppose if you are not using any SQL in your backend then disabling SQL attack rules is more beneficial as you will be not vulnerable to any SQL injection attacks.

Hope this helps!

Owin Gruters - iO 46 Reputation points

2024-09-02T09:39:03.8666667+00:00

Hi ChaitanyaNaykodi-MSFT, can you check the file I included and show me the characters that would trigger such rules. My whole point is that there are no such characters. Thus I do not see why these rules are firing in the first place.

Please check the link I sent with the positives (https://learn-attachment.microsoft.com/api/attachments/f54c1cba-7d60-41f1-a9aa-a68bbd8b0dc0?platform=QnA)
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Frontdoor WAF positives unclear

1 answer

Your answer