False positive: rule 941340 on Azure Front Door

[exlibris]

Description

"Matched Data: ""url":"https://XXXXXXX.XX.XXX/psc/XXjob/XXCAREERS/HRCR/c/HRS_HRAM_FL.HRS_CG_SEARCH_FL.GBL?page=HRS_"

See attached image for redacted log entry.

Audit Logs / Triggered Rule Numbers

WAF rule id 941340

Your Environment

Azure Front Door

Confirmation

[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

[azurit]

@exlibris Thank you for reporting this! We will take a look on this issue as soon as possible.

[fzipi]

Hi @exlibris ! Looks like you have indeed fall into a false positive. But this one is tricky, because you definitely want to oversee that this full URL passed is properly used and sanitized by the application before creating an exception.

For your Azure Front Door case, you should read this documentation: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration

If you have more control on the WAF (e.g. ModSecurity or custom install) you can create an exception following this doc: https://coreruleset.org/docs/configuring/false_positives_tuning/#example-7-ctlruleremovetargetbyid.

[fzipi]

@exlibris Any news on this? Did you used a custom rule?

[exlibris]

We did fix things in our Azure configuration so that our users are not effected. Interestingly, the cookie being set is not actually part of our application - it is for a different site within our enterprise, but was causing problems for us because we share the same domain. So, we are good to go at our end. I just thought that this should perhaps be fixed universally in case it causes problems for others. Took us quite a bit of diffing (and a support call to Microsoft) to get to the bottom of it. Would be good to spare others the hassle if indeed it is a false positive.

[fzipi]

Excellent.

There is not much we can do here as this is specific to the applications you are using. But thanks for letting us know, and I'm glad you solved it. Closing.