Base64 encoded data in POST request triggering WAF

I have a website that sends a POST request with one field including a Base64 image. The WAF is blocking this request due to the following rule…

100139D - XSS, HTML Injection - Data URI

Is base64 encoded data in a POST request some kind of security exploit? Why is such a check included in this rule? How do I disable this check on base64 encoding without taking out all the other WAF rules or how else can I send this base64 encoded data that won’t trigger any WAF rules.

@mdemoura is one of the WAF experts and might know why it’s triggering.

Hi @Andrew1234, could you post an example request that is being blocked by rule 100139D?

We have an input field like this but with a 1+MB image base64 encoded in it. Doing this sets off the rule for some reason.

<input type="hidden" name="croppedimage" id="croppedimage" value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABQAAAAJYCAYAAAA9nkvjAAAgAElEQVR4Xuy9B5hlR3U....................LNToJcw6X2Jdkiqbe2lzNXXVo1ROnHK8qVy8wIQD4ci7k++SfCRyugoA5FmXcfk6cpTd2BmD5PFYBQF9f0XXo6G3FAPw/5M98YaE+vYMAAAAASUVORK5CYII=">

Thanks, I’ve raised a ticket internally to tweak the rule so it doesn’t trigger on this kind of input.

How do I disable this check on base64 encoding without taking out all the other WAF rules

In the meantime, you can disable the 100139D rule individually or set its action to just “Log”.

1 Like

Thanks. How can I follow along with the progress of this to know the status of this issue and when/if we can expect a fix within CF.