Running into an issue with one of our custom developed sites.
There’s a page where the user is saving HTML that will be used for sending emails. The data is being saved by POSTing a JSON object to the server.
The POST data is triggering the Cloudflare WAF XSS attack rules. The problem is the challenge ONLY appearing for the POST requests, I can see the challenge page in chrome’s network inspector:
There’s no way to complete this challenge (it’s in the network inspector) and the challenge only appears for these POST requests. (So if I reload the main page with a GET request theirs no challenge) Even if there was a way to complete the challenge in the network inspector this isn’t an acceptable solution for end users.
I need a way to manually trigger the WAF to challenge a standard browser GET request. Basically some kind of query or request that tells the WAF to show the challenge page so I can do AJAX post requests in the background after the challenge is passed.
So far the only thing that works is disabling the WAF entirely which is a poor solution.
Any help is appreciated.