NOTE: The table of exclusions below is only applicable to customers who use Prevention mode. When the firewall is in Detection mode, which is the default, we do not need to configure any of these rules.
From: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
Application Gateway WAF can be configured to run in the following two modes:
- Detection mode – When configured to run in detection mode, Application Gateway WAF monitors and logs in all threat alerts to a log file. Logging diagnostics for Application Gateway should be turned on using the Diagnostics section. You also need to ensure that the WAF log is selected and turned on. When running in detection mode web application firewall does not block incoming requests.
- Prevention mode – When configured to run in prevention mode, Application Gateway actively blocks intrusions and attacks detected by its rules. The attacker receives a 403 unauthorized access exception and the connection is terminated. Prevention mode continues to log such attacks in the WAF logs.
Prevention Mode Rule Configuration
Using prevention mode for the application gateway firewall, we must first add these exclusions:
FIELD | OPERATOR | SELECTOR |
Request attribute name | Equals | SPHostUrl |
Request attribute name | Equals | SPSiteUrl |
With those exclusions in place, the following WAF rules need to be disabled:
Rule ID | Description | Justification |
---|---|---|
931130 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link | Needed to save app settings via /api/config/saveappsettings |
941320 | Possible XSS Attack Detected – HTML Tag Handler | Need to disable this rule otherwise need to add exclusion for EVERY field name (such as Comments, ReusableHTML, BodyText etc) HTML is passed via rich text fields. |
942110 | SQL Injection Attack: Common Injection Testing Detected | We modeled our API on SharePoint, which allowed special chaaraters that trigger this rule. However, SQL injection is n/a – we do not have a database. |
942130 | SQL Injection Attack: SQL Tautology Detected. | We modeled our API on the SharePoint search API (https://docs.microsoft.com/en-us/sharepoint/dev/general-development/sharepoint-search-rest-api-overview), which allows special characters that trigger this rule. However, SQL injection is n/a – we do not have a database and run through the medium of the SharePoint API. |
942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination | |
942260 | Detects basic SQL authentication bypass attempts 2/3 | |
942300 | Detects MySQL comments, conditions and ch(a)r injections | |
942330 | Detects classic SQL injection probings 1/2 | |
942340 | Detects basic SQL authentication bypass attempts 3/3 | |
942370 | Detects classic SQL injection probings 2/2 | |
942430 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |