Multi-Part Form Post Managed Challenge

My site has a form allowing signed in users to upload photos to their account. At some point recently form submissions started triggering Managed Challenge actions based on “Inbound Anomaly Score Exceeded”. After the “Verifying you are human” interstitial the user is returned to the upload photo page without the photos being posted.

Country: United States
IP Address: xxx
Service: Managed rules
Action taken: Managed Challenge
Ruleset: Cloudflare OWASP Core Ruleset …c25d2f1f
Rule: 949110: Inbound Anomaly Score Exceeded …843b323c
OWASP score: 63

Additional logs (13)
920270: Invalid character in request (null character) …bd22c723 Cloudflare OWASP Core Ruleset	Score (+5)
920271: Invalid character in request (non printable characters) …1d8cf992 Cloudflare OWASP Core Ruleset	Score (+5)
932200: RCE Bypass Technique …c91b7247 Cloudflare OWASP Core Ruleset	Score (+5)
941310: US-ASCII Malformed Encoding XSS Filter - Attack Detected …cbc01671 Cloudflare OWASP Core Ruleset	Score (+5)
941320: Possible XSS Attack Detected - HTML Tag Handler …346650ed Cloudflare OWASP Core Ruleset	Score (+5)
941340: IE XSS Filters - Attack Detected …7fbedd30 Cloudflare OWASP Core Ruleset	Score (+5)
942120: SQL Injection Attack: SQL Operator Detected …d732161b Cloudflare OWASP Core Ruleset	Score (+5)
942200: Detects MySQL comment-/space-obfuscated injections and backtick termination …58ecf7e7 Cloudflare OWASP Core Ruleset	Score (+5)
942260: Detects basic SQL authentication bypass attempts 2/3 …55395a78 Cloudflare OWASP Core Ruleset	Score (+5)
942330: Detects classic SQL injection probings 1/3 …18a93bb2 Cloudflare OWASP Core Ruleset	Score (+5)
942370: Detects classic SQL injection probings 2/3 …7cdec0c8 Cloudflare OWASP Core Ruleset	Score (+5)
942430: Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) …3297003f Cloudflare OWASP Core Ruleset	Score (+3)
942440: SQL Comment Sequence Detected …682bb405 Cloudflare OWASP Core Ruleset	Score (+5)

The form is quite basic:

<form action="/uploadphotos" method="post" name="uploadphoto" enctype="multipart/form-data">
<input id="upload_filename" name="upload_filename" type="file">
<input id="submit_upload" name="submit_upload" type="submit" value="Add photo">
</form>

Is there a way to mark form inputs as being image uploads so the data is not misinterpreted as being, for example, an SQL injection?

3 Likes

Hi! I have the same issue. Did you find a solution yet?

1 Like

Same issue on our end. The OWASP rules are pretty unusable after Cloudflare updated their firewall rules couple of months. So many false positives, the only thing we can do is keep relaxing the OWASP threshold, but it defeats the purpose. Our users can’t even upload XLSX file without triggering the firewall rule. It’s insane TBH.

1 Like

My workaround was to exclude form posts from OWSAP rules :confused: I don’t understand how this issue isn’t affecting enough people for it to get resolved or have a clean workaround!

1 Like

Just chiming in: after a week of debugging, we’ve narrowed down the exact same issue in our stack :slight_smile:

Please, halp

To expand:

We were led down some false debug leads because our backend (Django) was complaining about missing CSRF tokens.

After some tribulation, we discovered this (the Managed Challenge). But we also discovered that the data in the request, after passing the managed challenge, was mangled into unusable gunk/garbage. That is actually what triggered the CSRF error. Might be another issue, but I wanted to describe it here for posterity.

1 Like

We have the same issue. After intercepting the upload request with a managed challenge, the request is forwarded via post, but the form data seems to be removed/invalid and cannot get processed anymore.

Do we really have to add a WAF exclusion for each of our form file uploads?