Uploading scanned files in PDF format from Xerox/Cannon 403 forbidden

Website, Application, Performance Security
1

Hi,

Seems like all scanned files form a Xerox machine are triggering many rules, they are coming from multiple users. The files are scanned and uploaded as PDF via a form on our site. So far we have been removing rules to increase the chance they won’t get blocked.

I tried to view the questionable files in binary and did in fact see issues with the PDF files such as: expected variable end, tag name expected, unexpected end of comment.

But they are still good enough to be opened on a windows machine. Does anyone have any experience with scanned files which are triggering too many rules?

Here’s a list of the rules being triggered, I’m planning on removing 933100 and 933180.

932100: Remote Command Execution: Unix Command Injection

932110: Remote Command Execution: Windows Command Injection

932130: Remote Command Execution: Unix Shell Expression Found

933100: PHP Injection Attack: PHP Open Tag Found

933180: PHP Injection Attack: Variable Function Call Found

941130: XSS Filter - Category 3: Attribute Vector

941160: NoScript XSS InjectionChecker: HTML Injection

941310: US-ASCII Malformed Encoding XSS Filter - Attack Detected

942190: Detects MSSQL code execution and information gathering attempts

3

Sorry to hear you are experiencing the issue.
I would not recommend you to remove (disable) those rules to resolve this issue.

You might want to find out what rules and what requests were blocked/challenged when you upload PDFs.
You can check using security events: Security Events · Cloudflare Web Application Firewall (WAF) docs

After you figure out the detail, you can create Custom rule to “Skip” to avoid PDF uploads are blocked or challenged by Cloudflare Firewall.

2 Likes
4

Thanks for replying Yuri.

I did review the security events, and the rules I listed are all that were triggered from this API endpoint. It triggered beyond the OWASP score threshold. The API route sends all of the form data, including file upload so I don’t think I can isolate just the uploads to create a custom rule.

Looks like I can also increase the OWASP score threshold which allows to break more rules before being blocked.

I also need to review every single of the triggered rules to see why they are being triggered, maybe I can fix it and then re-add the rules that were removed.

5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.