cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure WAF - Resources for understanding policies

Jeffrey Chilberto
Iron Contributor

‎Feb 14 2022 05:32 PM

‎Feb 14 2022 05:32 PM

Azure WAF - Resources for understanding policies

I am looking for some guidance around setting up the WAF including suitable exclusions. The issue I am running into is the documentation does not identify why something was triggered. For example, I know the http header Referrer contains something that is triggering XSS. I believe it is because in the url there are the two characters "on" in the endpoint "https://mysite.com/onecode?para1=test&para2=fred", but I am just making an educated guess.

 

I would then think I would create an exclusion to say do not trigger if the url contains "onecode". That is not really good enough though as what if the url contains onecode and another occurrence of "on" that should trigger XSS (for example in one of the parameters).

 

I would think everyone would have this issue so I am surprised I did not find anything in docs or Architecture Centre.

1,701 Views
0 Likes
2 Replies
Reply
2 Replies
Jeffrey Chilberto

‎Feb 14 2022 05:59 PM

‎Feb 14 2022 05:59 PM

Re: Azure WAF - Resources for understanding policies

I have been sent this: https://github.com/libinjection/libinjection/blob/49904c42a6e68dc8f16c022c693e897e4010a06c/src/libin...

This is the start of answering my question, but I am hoping to find a better resource for understanding what is triggering the rules.
0 Likes
Reply
davidfrazee

‎Jul 27 2022 09:21 AM

‎Jul 27 2022 09:21 AM

Re: Azure WAF - Resources for understanding policies

@Jeffrey Chilberto 

Hello Jeffrey, here are some resources that provide excellent guidance on how to understand WAF actions and logs for both Azure Application Gateway and Azure Front Door. The OWASP signature IDs use a set of regex pattern matching. For a particular rule ID, you can look through the glossary and see what the parameter combination the regex is looking for. For example, SQLi rule 942120 looks for a combination of is+not in a string. This regex looks for it as you can see in line 538 here

 

SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\b(?:r(?:egexp|like)|isnull|xor)\b|<(?:>(?:\s+binary)?|=>?|<)|r(?:egexp|like)\s+binary|not\s+between\s+0\s+and|(?:like|is)\s+null|>[=>]|\|\||!=|&&))" \

 

By enabling Diagnostic settings on the Application Gateway and Front Door resources, we're able to send WAF specific logs to a log analytics workspace that allows you to consume and identify why certain requests have been blocked due to specific regex patterns identified.

 

OWASP:

owasp-modsecurity-crs/rules at v3.1/dev · SpiderLabs/owasp-modsecurity-crs (github.com)
Application Gateway:

CRS rule groups and rules - Azure Web Application Firewall | Microsoft Docs
Monitoring metrics for Azure Application Gateway Web Application Firewall metrics | Microsoft Docs
Troubleshoot - Azure Web Application Firewall | Microsoft Docs
Front Door:

Azure Web Application Firewall on Azure Front Door DRS rule groups and rules | Microsoft Docs

Azure Web Application Firewall monitoring and logging | Microsoft Docs

0 Likes
Reply