Who can help with Azure WAF Issues?

Questions
1

We have an Umbraco 13 website hosted by the client’s IT organization in an Azure Web App. Everything was working perfectly until they activated the Azure Web Application Firewall (WAF), which is now blocking most traffic to and from the website.

It seems the WAF configuration hasn’t been optimized for Umbraco, as all the settings are default, leading to numerous false positives. For example, certain pages in the website cannot be saved due to the HTML content triggering WAF rules, which interprets valid HTML as potentially malicious input.

Does anyone have experience working with Azure WAF in relation to Umbraco? Are there specific settings, configuration adjustments or pre-defined WAF rulesets you could share to help resolve this? Umbraco Cloud uses Cloudflare as a WAF but I don’t think the rules are available for non-cloud projects. Additionally, are there any changes we should make within Umbraco to ensure compatibility with the Azure WAF?

Some examples here:

requestUri_s Message ruleId_s ruleGroup_s details_message_s
/images/header_logo_black.svg Detects MySQL comment-/space-obfuscated injections and backtick termination 942200 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:(?:(?:(?:trunc
/images/header_logo_black.svg Detects basic SQL authentication bypass attempts 2/3 942260 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:["'`]\s*?(?:(?:n(?:and
/images/header_logo_black.svg Detects basic SQL authentication bypass attempts 3/3 942340 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:[“'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[”'`]
/images/header_logo_black.svg SQL Comment Sequence Detected. 942440 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?:/\*!?
/js/bundle.js?v=RfjVFTkbDxY95z9twFxZpl5odos Request Missing an Accept Header 920300 REQUEST-920-PROTOCOL-ENFORCEMENT Equal 0; Pattern match ^OPTIONS$; Pattern match AppleWebKit Android at REQUEST_HEADERS:user-agent.
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds SQL Comment Sequence Detected. 942440 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?:/\*!?
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds Detects MySQL comment-/space-obfuscated injections and backtick termination 942200 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:(?:(?:(?:trunc
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds Detects basic SQL authentication bypass attempts 2/3 942260 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:["'`]\s*?(?:(?:n(?:and
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds Detects basic SQL authentication bypass attempts 3/3 942340 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:[“'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[”'`]
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds SQL Comment Sequence Detected. 942440 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?:/\*!?
/umbraco/backoffice/umbracoapi/content/PostSave IE XSS Filters - Attack Detected. 941330 REQUEST-941-APPLICATION-ATTACK-XSS Pattern match (?i:["‘]*(?:[^a-z0-9~_:’ ]
/umbraco/backoffice/umbracoapi/content/PostSave IE XSS Filters - Attack Detected. 941340 REQUEST-941-APPLICATION-ATTACK-XSS Pattern match (?i)["\‘]*(?:[^a-z0-9~_:\’ ]
/umbraco/backoffice/umbracoapi/content/PostSave SQL Injection Attack: SQL Operator Detected 942120 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:(?:^
/umbraco/backoffice/umbracoapi/content/PostSave SQL Injection Attack: SQL Tautology Detected. 942130 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:[\s’“`()]*?\b([\d\w]+)\b[\s’”`()]*?(?:<(?:=(?:[\s’"`()]*?(?!\b\1\b)[\d\w]+
/umbraco/backoffice/umbracoapi/content/PostSave SQL Injection Attack 942150 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match from file sql-function-names.data; Pattern match (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?
/umbraco/backoffice/umbracoapi/content/PostSave Detects MySQL comment-/space-obfuscated injections and backtick termination 942200 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:(?:(?:(?:trunc
/umbraco/backoffice/umbracoapi/content/PostSave Detects basic SQL authentication bypass attempts 2/3 942260 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:["'`]\s*?(?:(?:n(?:and
/umbraco/backoffice/umbracoapi/content/PostSave Detects basic SQL authentication bypass attempts 3/3 942340 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:[“'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[”'`]
/umbraco/backoffice/umbracoapi/content/PostSave Detects classic SQL injection probings 2/3 942370 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:(?:["'`](?:\s*?(?:(?:\*.+(?:(?:an
/umbraco/backoffice/umbracoapi/content/PostSave SQL Injection Attack 942410 REQUEST-942-APPLICATION-ATTACK-SQLI Pattern match (?i:\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?
2

Hey @PeterAtValantic I have had the privilege of dealing with two new Front Doors this quarter :laughing: .

In my circumstance cookies were a big issue with the SQLI ruleset on the front end of the site. Like you I see you are also being hit with the SQLI ruleset.

Below you can see I have added exclusions for two Cookies that were triggering the SQLI ruleset.

image
image1753×366 31.2 KB

In my circumstances I have not put the CMS itself behind Front door but you could exclude the whole Umbraco Path from the SQLI ruleset to see if that helps.

More exclusions may need to be applied to other rulesets in your WAF.

2 Likes
3

@PeterAtValantic Another thought is do you need to put the CMS behind front door?

Since you need to be logged in to access it, it may be better to set an IP restriction on the web app or turn on authentication mode with Easy Auth to lock down the CMS.

I am assuming this is load balanced.

1 Like