AutoComplete triggers false positive WAF rules on Azure Front Door service

Hi leviatekllc,

We are validating the requirement. We will update the further details in two business days (5^th May 2022).

Regards,

Udhaya Kumar D

Thanks - additional info on the 2 Front Door WAF rules it triggers that I've had to disable temporarily:

• Rule ID 942200 - Detects MySQL comment-/space-obfuscated injections and backtrick termination
• Rule ID 942370 - Detects classic SQL injection probings 2/3

Hi leviatekllc,

Sorry for the inconvenience caused.

we are trying to make sample with Azure front door service to reproduce the issue, will update details in 3 business days (12^th,may 2022).

Thanks,

Deepak R

Thanks for the constant feedback - If you need any details on the setup of my configuration let me know.

Hi Vinitha -

So the Project is a Blazor Hosted WASM model, with the Server Project configured as an OData API. The Autocomplete Fields are in the Client Project razor pages based on the examples in your documentation:

Azure Hosting Model:
Solution is deployed to Azure App Service (site.azurewebsites.net) and then secured/balanced behind Azure Front Door Premium using Origin Groups with a custom domain:



When WAF is put in prevention mode, the following two default managed rules are triggered when starting to type in the AutoComplete field - Block on Anomaly is the Default Action configured:

• Rule ID 942200 - Detects MySQL comment-/space-obfuscated injections and backtrick termination
• Rule ID 942370 - Detects classic SQL injection probings 2/3

Right now, the only fix is to disable these rules/set to log only, but seeing as they are for SQL injection that should not be the case.

When typing in the field, the console debugger in the browser shows 403 Errors:

Thank you for the reference articles - I was able to get more details in the Diagnostic Logging that helps explain why these rules are triggered for the AutoComplete component -- see the details_matches_s section for what it's triggering on:

Raw Details text:

Matched Data: contains(tolower(Name),'') found within QueryParamValue:$filter: contains(tolower(Name),'')

My best guess is that its not liking some or all the function calls - contains or tolower.  I have Grid controls set with filters on the URI w/o these functions that do not trigger these rules.

Hi leviatekllc

Thank you for shared details. The methods mentioned in the request’s query strings are required for standard OData request to perform filtering operation on String values. We can remove the “tolower” function from the query string by setting IgnoreCase as false. Refer the below code.

We cannot remove the StartsWith or Contains in the request, since it is standard and required for OData filtering request. Please check whether the above suggestion resolves the issue.

If you still face the exception, please share the below details

• Filtering request URL format which works in your end
• Adaptor used in your end

The above details will help us provide a prompt solution.

Regards,

Prince

Thanks for the update - I'll test this out in my next release, but if IgnoreCase is set to false and someone enters test, the value Test won't appear, right?

Hi leviatekllc

Thanks for the update.

Yes, you are correct. But if filtering is done manually in the API endpoint, then this can be handled by converting the text “Test” to lowercase before performing filter operation. Also please share the requested details below along with your test results.

• Filtering request URL format which works in your end
• Adaptor used in your end

Regards,

Prince

Sorry for delay, this can be closed out - even with the tweaks, the two WAF rules continue to trigger so they have to be tweaked for my app to work properly.  Thank you for your support.

Hi leviatekllc,

Thanks for the update. Please get back to us if you need any further assistance.

Regards,

Udhaya Kumar D