WAF Alerts for Excesive use of Special Characters
Hello,
Recently we have ADSelfservice Plus tool published in a Azure Gateway and if the enable there the WAF the notice the following rules issues.
Detects basic SQL authentication bypass attempts 2/3
o Matched Data: \":10,\"T found within ARGS:NAVIGATION_DETAILS: {\"RECORDS_PER_PAGE\":10,\"TOTAL_COUNT\":13,\"END_COUNT\":10,\"PAGE_NAVIGATION\":1,\"START_COUNT\":1}
o REQUEST-942-APPLICATION-ATTACK-SQLI.conf
o RuleId: 942260
Detects classic SQL injection probings 2/2
o Matched Data: \":10 found within ARGS:NAVIGATION_DETAILS: {\"RECORDS_PER_PAGE\":10,\"TOTAL_COUNT\":13,\"END_COUNT\":10,\"PAGE_NAVIGATION\":1,\"START_COUNT\":1}
o REQUEST-942-APPLICATION-ATTACK-SQLI.conf
o RuleId: 942370
Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
o Matched Data: {\"RECORDS_PER_PAGE\":10,\"TOTAL_COUNT\":13,\"END_COUNT\":10,\"PAGE_NAVIGATION\" found within ARGS:NAVIGATION_DETAILS: {\"RECORDS_PER_PAGE\":10,\"TOTAL_COUNT\":13,\"END_COUNT\":10,\"PAGE_NAVIGATION\":1,\"START_COUNT\":1}
o REQUEST-942-APPLICATION-ATTACK-SQLI.conf
o RuleId: 942430
Detects MySQL comment-/space-obfuscated injections and backtick termination
o Matched Data: ,\"ENABLE_MANAGE_DASHBOARD\": found within ARGS:params: {\"tabId\":\"1\",\"ENABLE_MANAGE_DASHBOARD\":\"true\",\"isRefreshed\":\"false\",\"ENABLE_EMBED_WIDGET\":\"true\",\"type\":\"Pie\",\"HEIGHT\":\"285\",\"layoutName\":\"ads.home.layout.name.default_layout\",\"duration\":\"-1\",\"ENABLE_MANAGE_RHS\":\"true\",\"IS_EMBER\":\"true\",\"isEmber\":\"true\",\"DISABLE_RHS\":\"true\",\"domainName\":\"xx.xx-xxxxxx\",\"ENABLE_EMBED_DASHBOARD\":\"true\",\"LAYOUT_ID\":\"1\",\"containerId\":\"2\",\"name\":\"Enrollment Reports\",\"userId\":\"1\"}
o REQUEST-942-APPLICATION-ATTACK-SQLI.conf
o RuleId: 942200
Detects classic SQL injection probings 1/2
o Matched Data: \"1\",\"E found within ARGS:params: {\"tabId\":\"1\",\"ENABLE_MANAGE_DASHBOARD\":\"true\",\"isRefreshed\":\"false\",\"ENABLE_EMBED_WIDGET\":\"true\",\"type\":\"Pie\",\"HEIGHT\":\"285\",\"layoutName\":\"ads.home.layout.name.default_layout\",\"duration\":\"-1\",\"ENABLE_MANAGE_RHS\":\"true\",\"IS_EMBER\":\"true\",\"isEmber\":\"true\",\"DISABLE_RHS\":\"true\",\"domainName\":\"xx.xx-xxxxxx\",\"ENABLE_EMBED_DASHBOARD\":\"true\",\"LAYOUT_ID\":\"1\",\"containerId\":\"2\",\"name\":\"Enrollment Reports\",\"userId\":\"1\"}
o REQUEST-942-APPLICATION-ATTACK-SQLI.conf
o RuleId: 942330
Request content type is not allowed by policy
o Pattern match ^(?:GET|HEAD|PROPFIND|OPTIONS)$; Pattern match ^([^;\\s]+); Pattern match ^ Tx:allowed_request_content_type $ at TX:0.
o REQUEST-920-PROTOCOL-ENFORCEMENT.conf
o RuleId: 920420
The version we have is Version: 6.1 Build: 6100
Is this something that it is in the roadmap for improvement?
Thank you,