Azure Application Gateway WAF blocks common ASP.Net Core Requests

Question

I have configured a Azure Application Gateway + WAF in front of an ASP.Net Core application running on an Azure WebApp. I have the the default OWASP 3.0 Rules set on and in Prevention mode.

The problem I have is that every request via the WAF fails in one way or another with some of the default set of rules returning a 403 - Forbidden status.

Looking through WAF logs I had found few rules failing.

1. SQL Hex Encoding Identified

   {
       "message": "Warning. Pattern match \"(?i:(?:\\\\A|[^\\\\d])0x[a-f\\\\d]{3,}[a-f\\\\d]*)+\" at REQUEST_COOKIES:ASP.Net_Auth.",
       "data": "Matched Data: H0XAa4 found within REQUEST_COOKIES:AspNetCore.Auth: CfDJ8El_2vmJILFHjQYUCDWwttioV16BAlL12KiQnTLGZztGtA8P0xbo1MosAgmrkUk4IQ7pF5O4ZMJbmRHsHxYHq842rq_hr8FUyMhAMo_5mQ-C_5jBrkRWqUGrYHMa6fVIj4xtGOfku...",
   }
   

2. SQL Comment Sequence Detected

   "message": "SQL Comment Sequence Detected.",
   "details": {
           "message": "Warning. Pattern match \"(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)\" at REQUEST_COOKIES:.AspNetCore.Identity.Application.",
           "data": "Matched Data: --Z35d...- found within REQUEST_COOKIES:.AspNetCore.Identity.Application: CfDJ8El_2vmJILFHjQYUCDWwttihjUTpJneEVE1l-3UeTx...",
           "file": "rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
           "line": "1053"
   }
   

3. PCRE limits exceeded

   {
       "requestUri": "/api/ping?_=240477821",
       "message": "Execution error - PCRE limits exceeded (-8): (null)."
   }
   

That url /api/ping has no return except 200 OK.

I can't find any good documentation on these rules and when and which rule should be enabled/disabled. I'm sure I can disable them but it feels to me that the WAF is very aggressive and picks up too many false positives.

Is there a default set of rules that are good and safe and compatible by default with an ASP.Net Core app?

Answer 1

OWASP 3.0 works based on the sum of scores which it gets in each rule. A single request will be processed by a set of rules and each rule will add a score to the request and at the end, if the score exceeds a limit, the request is blocked.

In your case, you can read the rule definition here and check what is the score each rule adds to the particular request.

The last rule PCRE limit is the mandatory rule which cannot be disabled was hit because of the score that the request got by other rulesets. So you need to track the other rulesets and disable or create an exclusion to get your site working.