Mr M
Reputation: 61
How to prevent false positive block in Azure WAF for password field
I'm using Azure Front door with a web application firewall policy. Managed rule set 1.0 is configured.
It all works pretty well, apart from the password field in the login page of my web site. I see numerous block occasions based on rule 1.0-SQLI-942100 (SQL injection attempt) while the submitted password is legit, e.g. a password with the following format:
12-(Maria)_1002
Since the password field is quite critical (I do see numerous valid blocks with actual SQL injection attempts as well!), I don't want to add this field to the firewall exclusions.
Any idea how to prevent legit passwords from being blocked? I've considered excluding some chars from the input, but which ones need to be excluded?
Upvotes: 4
Views: 1195
Answers (0)
Related Questions
- Implement Azure WAF IP Restriction on specific sub-domains
- Azure Front Door WAF is blocking .AspNet.ApplicationCookie
- Azure Front Door WAF ip restrictions for static web apps
- Prevent bypassing Azure App Gateway WAF rules
- How To Disable Azure WAF Mandatory rule?
- Request blocked on azure waf when form fields have values as json strings
- How to whitelist an ip address in Azure WAF
- AAD reply url is flagged by WAF in Azure
- How do determine Azure WAF rule that affect to my specific url
- Configuring WAF on Azure Front door services