Should data that may contain OWASP triggers be base64 encoded?

New Contributor

I have an Application Gateway with a WAF that is blocking simple passwords that contain a ^

 

What is the best-practice for allowing special characters in a password field so the WAF does not see this as a potential SQL injection attack?

 

I am considering a base64 encoding but am looking to verify this is the correct route to take.

2 Replies

@RexBloom  we had same experience and we fixed it.

There are two quick option to fix it:

  1. Encrypt request body to base64,  
  2. Create an Exclusion rules

For us point #1 was the best solution.

 

Did you encrypt the whole body or only the password field?