Does Front Door WAF Exclusions work with POST body arguments?

Praemon 131 Reputation points
2020-07-26T09:39:25.24+00:00

I'm trying to exclude a body post argument from triggering a default set rule - https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion

In the form, the input name is "content". I've setup an exclusion for the rule that's being triggered using a match on the "Request body post args name" = "content". However, it doesn't work at all, and continues to get blocked.

The firewall log shows the following "details match":

details_matches_s
[ { "matchVariableName": "InitialBodyContents", "matchVariableValue": "../" } ]

It seems like it's matching on the full body being posted, but not taking into account that's it's from a form and has a variable name. Is there no way to actually match the variable name so it can be excluded? What is the purpose of exclusions if it doesn't use the variable name on the form to match?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
622 questions
Azure Web Application Firewall

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee
    2020-07-31T08:47:28.48+00:00

    Hello @Praemon ,

    Please find the update from the Frontdoor backend team below:

    We do not support exclusion for this match variable (InitialBodyContents). The mitigation option customer has is to turn-off the rule.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

  2. GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee
    2020-08-10T13:17:49.727+00:00

    Hello @Praemon ,

    Below is the example of post arg name that is support in WAF exclusion, provided by the backend team:

    If a customer sends a request like this: 

    POST /test HTTP/1.1  
Host: foo.com  
Content-Type: application/x-www-form-urlencoded  
field1=%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E&field2=value2

    And they have set up an exclusion on field1, then any javascript injection rules the customer have set up on POST args won't fire (i.e. the request will succeed if they have an exclusion on field1).

    However, if we have another rule for detecting javascript injection anywhere in the request body, that rule will fire. The only way currently to stop a rule that checks the whole request body from firing is to disable it.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  3. Ruth, Jason 1 Reputation point
    2020-12-15T18:26:14.497+00:00

    As an alternative, can you support a more recent version of the owasp modsecurity rules? Starting with 3.2 that have improved this rule to be smarter and we believe will solve our problem.

    https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

    If this is a possibility, is there a release date?

    0 comments