Trigger WAF Challenge

Running into an issue with one of our custom developed sites.

There’s a page where the user is saving HTML that will be used for sending emails. The data is being saved by POSTing a JSON object to the server.

The POST data is triggering the Cloudflare WAF XSS attack rules. The problem is the challenge ONLY appearing for the POST requests, I can see the challenge page in chrome’s network inspector:

There’s no way to complete this challenge (it’s in the network inspector) and the challenge only appears for these POST requests. (So if I reload the main page with a GET request theirs no challenge) Even if there was a way to complete the challenge in the network inspector this isn’t an acceptable solution for end users.

I need a way to manually trigger the WAF to challenge a standard browser GET request. Basically some kind of query or request that tells the WAF to show the challenge page so I can do AJAX post requests in the background after the challenge is passed.

So far the only thing that works is disabling the WAF entirely which is a poor solution.

Any help is appreciated.

1 Like

Alternatively, could you do something to encode the HTML, such as BASE64, so that the WAF doesn’t detect HTML but you can then decode it on the server? Then the user wouldn’t have to be presented with a challenge at all.

This topic was automatically closed after 30 days. New replies are no longer allowed.