WAF Attack Score request analyses misidentify connection to /cdn-cgi/zaraz/s.js as Likely Attack
What steps have you taken to resolve the issue?
My client’s account is on Business and we recently adopted to use WAF Attack Score to block (Attack) and challenge (Likely Attack)
We use Zaraz as tag management and we discovered that in Security Analytics it identifies virtually all connection to it as Likely Attack.
Thus our original rule (managed challenge) prevented tags being loaded.
Currently we workaround it by setting up skip rule path contains /cdn-cgi
However under this setup all of the Access to this endpoint that are being misidentified as Likely Attacks would still considered as unmitigated,
What is the current SSL/TLS setting?
Full
What are the steps to reproduce the issue?
Enable Zaraz and add tags, then browse the website.
The request analysis would misidentify as Likely Attack.
As mentioned in my original post, I have already implemented the skip action. Unfortunately, this has not resolved the issue, as these requests still appear in security analytics as “unmitigated” likely attacks.
Request for Automatic Exclusion: What I am seeking is for the WAF team to automatically exclude the link that Zaraz uses as an endpoint (/cdn-cgi/zaraz/s.js or customized). This would prevent the WAF from misidentifying these legitimate requests as attacks and ensure they do not show up as unmitigated in security analytics.
Need for a Long-term Solution: A sustainable solution is necessary to ensure that these false positives do not continue to occur. Adjusting the WAF settings to recognize and allow these specific requests would be ideal by allowing direct feedback on security analytics for administrators to directly tag if a request is an attack or not.
I hope the product team get this feedback. Thank you.
