Uploading scanned files in PDF format from Xerox/Cannon 403 forbidden


Seems like all scanned files form a Xerox machine are triggering many rules, they are coming from multiple users. The files are scanned and uploaded as PDF via a form on our site. So far we have been removing rules to increase the chance they won’t get blocked.

I tried to view the questionable files in binary and did in fact see issues with the PDF files such as: expected variable end, tag name expected, unexpected end of comment.

But they are still good enough to be opened on a windows machine. Does anyone have any experience with scanned files which are triggering too many rules?

Here’s a list of the rules being triggered, I’m planning on removing 933100 and 933180.

932100: Remote Command Execution: Unix Command Injection

932110: Remote Command Execution: Windows Command Injection

932130: Remote Command Execution: Unix Shell Expression Found

933100: PHP Injection Attack: PHP Open Tag Found

933180: PHP Injection Attack: Variable Function Call Found

941130: XSS Filter - Category 3: Attribute Vector

941160: NoScript XSS InjectionChecker: HTML Injection

941310: US-ASCII Malformed Encoding XSS Filter - Attack Detected

942190: Detects MSSQL code execution and information gathering attempts

Sorry to hear you are experiencing the issue.
I would not recommend you to remove (disable) those rules to resolve this issue.

You might want to find out what rules and what requests were blocked/challenged when you upload PDFs.
You can check using security events: Security Events · Cloudflare Web Application Firewall (WAF) docs

After you figure out the detail, you can create Custom rule to “Skip” to avoid PDF uploads are blocked or challenged by Cloudflare Firewall.


Thanks for replying Yuri.

I did review the security events, and the rules I listed are all that were triggered from this API endpoint. It triggered beyond the OWASP score threshold. The API route sends all of the form data, including file upload so I don’t think I can isolate just the uploads to create a custom rule.

Looks like I can also increase the OWASP score threshold which allows to break more rules before being blocked.

I also need to review every single of the triggered rules to see why they are being triggered, maybe I can fix it and then re-add the rules that were removed.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.