Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
677 questions
Azure FrontDoor WAF does not filter PUT requests
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 39%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Maksym Kharchenko2
46
Reputation points
Hello, I'm trying to use Azure FrontDoor WAF with some web applications, but I noticed that default WAF rules do not filter PUT requests.
I have tried to use some common XSS and SQL injection code into PUT requests, but WAF does not block anything by default. For GET and POST requests WAF rules work fine.
In Azure FrontDoor WAF I have the following managed rule set included: Microsoft_DefaultRuleSet_1.1 with all rules in the enabled state with action block. I have also tried using FrontDoor Premium with Microsoft_DefaultRuleSet_2.0, but the result is the same, PUT requests were not filtered.
The same PUT requests were filtered and blocked while using the Azure Application Gateway with OWASP 3.0 ruleset.
Is this normal behavior for Azure FrontDoor WAF? Is there any way to filter PUT requests using WAF on FrontDoor without writing custom rules?
{count} votes
-
suvasara-MSFT 10,041 Reputation points2021-12-22T19:58:46.38+00:00 @Maksym Kharchenko2 , Looks Strange! This needs deeper investigation. Could you please send us a mail to azcommunity@microsoft.com for further analysis? Also, please do mention "ATTN:Suvasara" in the subject line.
Sign in to comment
Sign in to answer