Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,063 questions
Application gateway WAF - blocking url parameters
Werner Weiss
1
Reputation point
Hello,
I have a Windows server with few running REST services on it.
URLs:
Example 1: https://service.company.com/api/MyService/Login/?user='tom'&pass='123456'
Example 2: https://service.company.com/api/MyService/Login/?user=tom&pass=123456
Example 1 is NOT WORKING -> Blocked -> REQUEST-949-BLOCKING-EVALUATION
Example 2 is WORKING FINE.
But I can only generate example 1 code - so I need somehow to allow the character ' before and after the text parameter values?
Is this somehow possible?
One solution is the exclude the attribute (parameter name) from checking -> e.g. "user" and "pass". But I have other REST calls with same text prefix and postfix.
I hope someone can help me.
Greetings,
/Werner
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee2022-01-07T05:26:21.987+00:00 Hello @Werner Weiss , As per this example in the documentation. Can you try and set up a similar exclusion rule but with the parameter
Equals? as this will help ignore other REST Calls which have "user" and "pass" as prefix and postfix. Please let us know if this solution does not work for you, we will gladly continue with our discussion. Thank you! -
Werner Weiss 1 Reputation point
2022-01-08T08:49:43.523+00:00 Hello,
the solution you provided is not working.
I tried another way - used exclusion rule:Request attribute name - Equals any - *When I wanted to save it - I always got always and error (after long waiting for completing).
But I think this is the right rule for my needs.My other settings:
- Tier: WAF V2
- Firewall status: Enabled
- Firewall mode: Prevention
/Werner
-
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
2022-01-10T20:31:43.227+00:00 Hello @Werner Weiss , Could you please share the error received while saving the exclusion rule?
-
Werner Weiss 1 Reputation point
2022-01-11T09:54:47.487+00:00 Hello,
error is after 30min waiting:
Failed to save application gateway changes
Failed to save configuration changes to application gateway 'xxxxxxx'. Error: An error occurred. -
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
2022-01-12T13:27:06.187+00:00 Hello @Werner Weiss , To troubleshoot the exact issue I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.
Subject : Attn Chaitanya
Thread URL: Link to this thread.
Subscription IDPlease let me know once you have done the same.
Sign in to comment
Sign in to answer