OWASP Block (981176)

Hi,

I’ve done activating the pagerule and temporarily set into simulate mode. Reviewing the firewall logs and found numerous events came from a legitimate client on (OWASP Block (981176). I’m not sure yet what is the best thing to do. Either create a rule to allow this request in the firewall or set into block mode and apply fixes to the affected path.

I hope someone could help me what is the best thing to do.

Thanks,
Jonathan

Hi there,

The Cloudflare WAF contains mainly 2 packages:

  • Cloudflare Managed Ruleset: These rules are managed by Cloudflare WAF Engineers. For “security reasons”, we don’t provide the rule patterns as this would increase the likelihood that a malicious party could learn to bypass the rules.
  • OWASP ModSecurity Core Rule Set: These rules are not managed by Cloudflare. They are created by the OWASP Group and Cloudflare integrates with this OWASP package as part of our WAF for additional security. If you would like to know why an OWASP rule has triggered, you can review the rules (expressions and sensitivity score) in the GitHub repository in this link.

If you’re encountering false positive due to the WAF, there are 6 actions that you could take here:

  1. Add the IP(s) doing the request to the IP Access Rules in the allowlist, if the users connecting to your backend are always using the same IP address.
    This is the best solution as it does not affect the site security.
    How do I control IP access to my site?

  2. Disable the affected WAF rule(s)
    This will reduce the security of the site, but will stop the requests from getting blocked/challenged.
    How do I configure the WAF?

  3. Bypass the WAF with a Firewall Rule
    You can create a Firewall Rule with the bypass action for the WAF to be deactivated for a specific combination of parameters. You could for example only bypass the WAF for a specific URL and a specific IP or user-agent:
    https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/

  4. Disable the Web Application Firewall from the requested endpoint (not recommended!)
    This will result in lower security, as the WAF will no longer be applicable on that location.
    This action is done by using Page Rules:
    Understanding and Configuring Cloudflare Page Rules (Page Rules Tutorial)

  5. If the rule blocking is 981176, it means it was blocked by the OWASP rules. You need then to decrease the OWASP sensitivity: a request was blocked by rule 981176, what does that mean?. If decreasing the OWASP sensitivity doesn’t solve the issue, you might need to apply one of the other actions described above (1, 2, 3 or 4).

  6. [Enterprise only feature] Use Waf Overrides API
    There is a way to disable one WAF rule for a specific URI. The feature is known as the URI-Controlled WAF. Please follow this link on how to configure this feature.

Hope this helps!

1 Like

Bypass the WAF with a Firewall Rule is not working. My firewall rule are blocked even if I made an IP rule to bypass WAF Managed Rules.

Please fix this fast because critical parts of my apps are not working anymore unless I disable WAF for my site.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.