Reputation: 21
Azure WAF exclusion - (RFI) Attack
I'm working on a WAF policy. Currently, the WAF is on detection mode and I've been creating exclusions and identifying false positives etc.
There is one rule I'm struggling to implement and it concerns RFI. Specifically this:
Rule ID: 931130
Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
Details message: Pattern match ^(?i:file|ftps?|https?)://(.)$; Begin With RequestHeaders:host at TX:rfi_parameter_..
Please see screenshot for an example in the logs.
Does anybody know how I can exclude this?
If tried this but no dice:
Cheers, Ben
Upvotes: 2
Views: 2879
Answers (2)
Reputation: 1
We were able to resolve this with the help of Microsoft support. In our case the issue came down to the arg name being case-sensitive. You need to know the case the caller is using for the arg name, which if memory serves may differ from the case used in the log entry - unhelpful on all counts.
Upvotes: 0
Reputation: 87
You may have already figured this out but this is to help some one else facing this issue. You can try - Req Args Name contains urlreferrer
Upvotes: 2
Related Questions
- Implement Azure WAF IP Restriction on specific sub-domains
- Azure Front Door WAF is blocking .AspNet.ApplicationCookie
- Azure Front Door WAF ip restrictions for static web apps
- Prevent bypassing Azure App Gateway WAF rules
- How To Disable Azure WAF Mandatory rule?
- Azure Application Gateway WAF blocks common ASP.Net Core Requests
- Whitelisting Application Gateway (WAFv2) Frontend IP results in 403 on App Service using access restrictions
- How to whitelist an ip address in Azure WAF
- Configuring WAF on Azure Front door services
- Use and setup of WAF with Azure App Service Web Application?