Azure: Application Gateway Web Application Firewall (WAF) Settings - Akumina Community

Azure: Application Gateway Web Application Firewall (WAF) Settings

You are here:
Estimated reading time: 1 min
NOTE: The table of exclusions below is only applicable to customers who use Prevention mode. When the firewall is in Detection mode, which is the default, we do not need to configure any of these rules.

From: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview

Application Gateway WAF can be configured to run in the following two modes:

  • Detection mode – When configured to run in detection mode, Application Gateway WAF monitors and logs in all threat alerts to a log file. Logging diagnostics for Application Gateway should be turned on using the Diagnostics section. You also need to ensure that the WAF log is selected and turned on. When running in detection mode web application firewall does not block incoming requests.
  • Prevention mode – When configured to run in prevention mode, Application Gateway actively blocks intrusions and attacks detected by its rules. The attacker receives a 403 unauthorized access exception and the connection is terminated. Prevention mode continues to log such attacks in the WAF logs.

Prevention Mode Rule Configuration

Using prevention mode for the application gateway firewall, we must first add these exclusions:

FIELD OPERATOR SELECTOR
Request attribute name Equals SPHostUrl
Request attribute name Equals SPSiteUrl

With those exclusions in place, the following WAF rules need to be disabled:

Rule ID Description Justification
931130 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link Needed to save app settings via /api/config/saveappsettings
941320 Possible XSS Attack Detected – HTML Tag Handler Need to disable this rule otherwise need to add exclusion for EVERY field name (such as Comments, ReusableHTML, BodyText etc) HTML is passed via rich text fields.
942110 SQL Injection Attack: Common Injection Testing Detected We modeled our API on SharePoint, which allowed special chaaraters that trigger this rule. However, SQL injection is n/a – we do not have a database.
942130 SQL Injection Attack: SQL Tautology Detected. We modeled our API on the SharePoint search API (https://docs.microsoft.com/en-us/sharepoint/dev/general-development/sharepoint-search-rest-api-overview), which allows special characters that trigger this rule. However, SQL injection is n/a – we do not have a database and run through the medium of the SharePoint API.
942200 Detects MySQL comment-/space-obfuscated injections and backtick termination
942260 Detects basic SQL authentication bypass attempts 2/3
942300 Detects MySQL comments, conditions and ch(a)r injections
942330 Detects classic SQL injection probings 1/2
942340 Detects basic SQL authentication bypass attempts 3/3
942370 Detects classic SQL injection probings 2/2
942430 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
Was this article helpful?
Dislike 0
Views: 429
//]]>