Dangling WAF rule applied despite not being in the ruleset

Our WP based website gets 403 in the backend (in particular when doing a POST on /wp-json/wp/v2/media?_locale=user) despite the path has been deliberately excluded from WAF and security in the pages rules and even when the global WAF rules are disabled:

As you can see, the rule seems to not exist in both the Cloudflare Managed Ruleset and the OWASP Core Ruleset, and therefore it seems that this specific rule is not captured by any of the page rules / CF settings.

The only way to bypass this rule is to disable WAF entirely through IP exceptions (it seems that page rules exceptions don’t work either), and it really seems that somehow there are some dangling rules that have not been allocated in any accessible category.

It looks like an internal CF issue. Can this be checked?


Click on the little “i” circle next to the OWASP score. It should show you which actual rules were triggered. Or maybe it’s a dropdown list that you’ve cropped out of your firewall event screenshot.

It doesn’t. My point is that I can’t disable that specific ruleset because it cannot be found, unless I change the PL settings for the whole OWASP ruleset.

Even if I add a specific exception for that specific rule matching that specific endpoint, it doesn’t work. It gets triggered (and yes, I’ve also swapped the order of execution between the skipped - executed ones).

And to highlight again: I cannot find the 949110 rule in the Cloudflare OWASP Core Ruleset configuration:

Inbound Anomaly Score itself isn’t a rule other than it takes the rules which were triggered in the OWASP ruleset and assigns it a score. based on your WAF settings if the request is anomalous ‘enouhg’ the request is denied. The OWASP score in your screenshot was 65. The JSON details will highlight which rules were triggered.

Without knowing what you’re creating an exception for vs. what is being triggered… I can only suggest you’ve used the wrong criteria.

Click the export event json in your first screenshot in this thread and review which rules are actually being triggered.

1 Like

I bet it does. There’s probably a little bit of blue text in the lower left of that event with an Expand arrow that would show you the individual scores. Or export the JSON as cscharff suggested.

Then why this exception is not working at all? And it’s set before all the others:

I mean, according to that, regardless of the triggering rules (and I can see all of them in the additional logs), the WAF rules should never be applied to that path . That’s what I’m trying to say

Also I’m trying to highlight another functional inconsistency. I’ve set a page rule that basically disables security and WAF on that specific endpoint, but it seems to be completely ignored:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.