Http request blocked by Azure WAF, how to do right encoding?

不想你离开。 提交于 2021-02-11 12:23:07

问题


I'm running a asp.net web application on Azure, I have an Application Gateway in front of it, enable the WAF (Web application Firewall).

But many of my http requests from the front-end are blocked by the WAF, for example my payload in JSON:

[{"inputtype":"text","name":"wwwwww","memo":"","score":1,"sort":1,"isrequired":false,"allowseeresult":false,"choicenummin":null,"choicenummax":null,"options":[]}]

The error message is:

"message": "Warning. Pattern match \"((?: 
[\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\ {\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>][^\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>]*?){12})\" at ARGS:questions.",
"data": "Matched Data: [{\\x22inputtype\\x22:\\x22text\\x22,\\x22name\\x22:\\x22who is it\\x22 found within ARGS:questions: [{\\x22inputtype\\x22:\\x22text\\x22,\\x22name\\x22:\\x22who is it\\x22,\\x22memo\\x22:\\x22\\x22,\\x22score\\x22:1,\\x22sort\\x22:1,\\x22isrequired\\x22:true,\\x22allowseeresult\\x22:false,\\x22choicenummin\\x22:null,\\x22choicenummax\\x22:null,\\x22options\\x22:[]}]",
"file": "rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
"line": "1002"

Seems that "" is not allowed in the payload.

I tried to use htmlencode to encode the "" to "&quot ;" but the ";" still got blocked by WAF.

So how should I encode my payload to avoid it being blocked? Any recommendations? Thanks.


回答1:


You can only do 2 things 1. Disable the rule, 2. Use an exclusion list, Link.



来源:https://stackoverflow.com/questions/57480551/http-request-blocked-by-azure-waf-how-to-do-right-encoding

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!