Hello. I hope I categorized this issue properly. We’re having an issue with WAF rules being triggered for good user requests (i.e. having false positives). Which is worse, even though the issue is reproducible, it has rather a random nature, i.e. if I go to the page to upload a file for the first time, it may work for me just fine. However, if I’d try to upload the same file for 5th or 15th time or do the same from a different PC I may see that the spinner keeps working infinitely and at the same time you’d observe that the request was blocked/challenged by the CloudFlare WAF.
About the infrastructure
We’ve got a WAF in front of our Azure-based infrastructure, so it’s used as an entry point, i.e. the DNS record points to the Traffic Manager in Azure and it distributed the traffic among the Web Application instances. Technology stack is nothing fancy: .NET Framework + Angular. We’re using libraries to protect the app from XSS attacks and also utilize Anti-forgery tokens (i.e. we’re protecting the app from OWASP TOP 10 security vulnerabilities).
About the message we’re receiving… it’s hard to understand what it’s trying to say. I see “OWASP Block (981176)” on the screen and a brief description, i.e. “Inbound Anomaly Score Exceeded (Total Score: 40, SQLi=1, XSS=30)”. What does it suppose to mean?
Please see a full scree with more details:
I have a bunch of similar messages generated for different blocked IPs. In most of the cases, that’s the service which returns a calculation result from the stored proc in SQL Server and the other one is the service that upload a file to Azure Blob storage.
- Why exactly these services are involved?
- If this is related to insuficciently protected app (which I doubt considering all said above), how to determine what exactly is wrong with the app in order to improve it?
- If this is a false positive (the most plausible explanation), how to configure a WAF to avoid these rules from triggering?