I am trying to use the managed leaked credentials ruleset in our website and noticed that POST forms with username + password condition is not working. When I clicked on the “Browse Rules” Button to explore the detailed of the managed ruleset, I saw two conditions about POST forms:
- Checks credentials in POST forms using “username” and “password” arguments
- Checks credentials in POST forms using “login” and “password” arguments (URI agnostic)
I tried both cases stated above by sending POST forms requests to my websites authentication endpoints. While I can see in the WAF events that the POST forms using “login” and “password” works(which we do not use in our website), it is not getting detected by the WAF with the first condition(username password)
Since we are handling authentication in our website, we are sending a POST request with the content type “x-www-form-urlencoded” to an endpoint “/connect/token” as seen attached postman screenshot.(which matches the first rule), I believe there is something wrong with the first rule.
If this is intentional, could you please help me to figure out how to work around this problem preferably without modifying my authentication flow and endpoints.