New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive: rule 941340 on Azure Front Door #2341
Comments
@exlibris Thank you for reporting this! We will take a look on this issue as soon as possible. |
Hi @exlibris ! Looks like you have indeed fall into a false positive. But this one is tricky, because you definitely want to oversee that this full URL passed is properly used and sanitized by the application before creating an exception. For your Azure Front Door case, you should read this documentation: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration If you have more control on the WAF (e.g. ModSecurity or custom install) you can create an exception following this doc: https://coreruleset.org/docs/configuring/false_positives_tuning/#example-7-ctlruleremovetargetbyid. |
@exlibris Any news on this? Did you used a custom rule? |
We did fix things in our Azure configuration so that our users are not effected. Interestingly, the cookie being set is not actually part of our application - it is for a different site within our enterprise, but was causing problems for us because we share the same domain. So, we are good to go at our end. I just thought that this should perhaps be fixed universally in case it causes problems for others. Took us quite a bit of diffing (and a support call to Microsoft) to get to the bottom of it. Would be good to spare others the hassle if indeed it is a false positive. |
Excellent. There is not much we can do here as this is specific to the applications you are using. But thanks for letting us know, and I'm glad you solved it. Closing. |
Description
"Matched Data: ""url":"https://XXXXXXX.XX.XXX/psc/XXjob/XXCAREERS/HRCR/c/HRS_HRAM_FL.HRS_CG_SEARCH_FL.GBL?page=HRS_"
See attached image for redacted log entry.
Audit Logs / Triggered Rule Numbers
WAF rule id 941340
Your Environment
Azure Front Door
Confirmation
[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: