Should data that may contain OWASP triggers be base64 encoded?

%3CLINGO-SUB%20id%3D%22lingo-sub-2670248%22%20slang%3D%22en-US%22%3EShould%20data%20that%20may%20contain%20OWASP%20triggers%20be%20base64%20encoded%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2670248%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20Application%20Gateway%20with%20a%20WAF%20that%20is%20blocking%20simple%20passwords%20that%20contain%20a%20%5E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20best-practice%20for%20allowing%20special%20characters%20in%20a%20password%20field%20so%20the%20WAF%20does%20not%20see%20this%20as%20a%20potential%20SQL%20injection%20attack%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20considering%20a%20base64%20encoding%20but%20am%20looking%20to%20verify%20this%20is%20the%20correct%20route%20to%20take.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2706002%22%20slang%3D%22en-US%22%3ERe%3A%20Should%20data%20that%20may%20contain%20OWASP%20triggers%20be%20base64%20encoded%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2706002%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1133511%22%20target%3D%22_blank%22%3E%40RexBloom%3C%2FA%3E%26nbsp%3B%20we%20had%20same%20experience%20and%20we%20fixed%20it.%3C%2FP%3E%3CP%3EThere%20are%20two%20quick%20option%20to%20fix%20it%3A%3C%2FP%3E%3COL%3E%3CLI%3EEncrypt%20request%20body%20to%20base64%2C%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%3CLI%3ECreate%26nbsp%3Ban%20Exclusion%20rules%3C%2FLI%3E%3C%2FOL%3E%3CP%3EFor%20use%20point%20%231%20the%20best%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have an Application Gateway with a WAF that is blocking simple passwords that contain a ^

 

What is the best-practice for allowing special characters in a password field so the WAF does not see this as a potential SQL injection attack?

 

I am considering a base64 encoding but am looking to verify this is the correct route to take.

2 Replies

@RexBloom  we had same experience and we fixed it.

There are two quick option to fix it:

  1. Encrypt request body to base64,  
  2. Create an Exclusion rules

For us point #1 was the best solution.

 

Did you encrypt the whole body or only the password field?