Forum Discussion
Azure WAF - Resources for understanding policies
I am looking for some guidance around setting up the WAF including suitable exclusions. The issue I am running into is the documentation does not identify why something was triggered. For example, I know the http header Referrer contains something that is triggering XSS. I believe it is because in the url there are the two characters "on" in the endpoint "https://mysite.com/onecode?para1=test¶2=fred", but I am just making an educated guess.
I would then think I would create an exclusion to say do not trigger if the url contains "onecode". That is not really good enough though as what if the url contains onecode and another occurrence of "on" that should trigger XSS (for example in one of the parameters).
I would think everyone would have this issue so I am surprised I did not find anything in docs or Architecture Centre.
2 Replies
davidfrazeeMicrosoft
Hello Jeffrey, here are some resources that provide excellent guidance on how to understand WAF actions and logs for both Azure Application Gateway and Azure Front Door. The OWASP signature IDs use a set of regex pattern matching. For a particular rule ID, you can look through the glossary and see what the parameter combination the regex is looking for. For example, SQLi rule 942120 looks for a combination of is+not in a string. This regex looks for it as you can see in line 538 here
SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\b(?:r(?:egexp|like)|isnull|xor)\b|<(?:>(?:\s+binary)?|=>?|<)|r(?:egexp|like)\s+binary|not\s+between\s+0\s+and|(?:like|is)\s+null|>[=>]|\|\||!=|&&))" \
By enabling Diagnostic settings on the Application Gateway and Front Door resources, we're able to send WAF specific logs to a log analytics workspace that allows you to consume and identify why certain requests have been blocked due to specific regex patterns identified.
OWASP:
owasp-modsecurity-crs/rules at v3.1/dev · SpiderLabs/owasp-modsecurity-crs (github.com)
Application Gateway:CRS rule groups and rules - Azure Web Application Firewall | Microsoft Docs
Monitoring metrics for Azure Application Gateway Web Application Firewall metrics | Microsoft Docs
Troubleshoot - Azure Web Application Firewall | Microsoft Docs
Front Door:Azure Web Application Firewall on Azure Front Door DRS rule groups and rules | Microsoft Docs
Azure Web Application Firewall monitoring and logging | Microsoft Docs
- I have been sent this: https://github.com/libinjection/libinjection/blob/49904c42a6e68dc8f16c022c693e897e4010a06c/src/libinjection_xss.c
This is the start of answering my question, but I am hoping to find a better resource for understanding what is triggering the rules.
