Base64 encoded data in POST request triggering WAF

Andrew1234 · May 14, 2021, 4:23pm

I have a website that sends a POST request with one field including a Base64 image. The WAF is blocking this request due to the following rule…

100139D - XSS, HTML Injection - Data URI

Is base64 encoded data in a POST request some kind of security exploit? Why is such a check included in this rule? How do I disable this check on base64 encoding without taking out all the other WAF rules or how else can I send this base64 encoded data that won’t trigger any WAF rules.

sdayman · May 14, 2021, 1:38pm

@mdemoura is one of the WAF experts and might know why it’s triggering.

mdemoura · May 17, 2021, 9:14am

Hi @Andrew1234, could you post an example request that is being blocked by rule 100139D?

Andrew1234 · May 17, 2021, 10:02am

We have an input field like this but with a 1+MB image base64 encoded in it. Doing this sets off the rule for some reason.

<input type="hidden" name="croppedimage" id="croppedimage" value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABQAAAAJYCAYAAAA9nkvjAAAgAElEQVR4Xuy9B5hlR3U....................LNToJcw6X2Jdkiqbe2lzNXXVo1ROnHK8qVy8wIQD4ci7k++SfCRyugoA5FmXcfk6cpTd2BmD5PFYBQF9f0XXo6G3FAPw/5M98YaE+vYMAAAAASUVORK5CYII=">

mdemoura · May 18, 2021, 12:48pm

Thanks, I’ve raised a ticket internally to tweak the rule so it doesn’t trigger on this kind of input.

How do I disable this check on base64 encoding without taking out all the other WAF rules

In the meantime, you can disable the 100139D rule individually or set its action to just “Log”.

Andrew1234 · June 7, 2021, 11:45am

Thanks. How can I follow along with the progress of this to know the status of this issue and when/if we can expect a fix within CF.