Request blocked by Microsoft_DefaultRuleSet-2.1-SQLI-942120 for russian language

Question

When we try to submit the leads in our website We figured out that for Russian language characters Azure Front door firewall rule(942120 - SQL Injection Attack: SQL Operator Detected) was blocking the requests. Below is the screenshot of how we find it through logs

Once we disable the rule, request is also working fine for russian lang. How can we fix this without disable waf default rule(Microsoft_DefaultRuleSet-2.1-SQLI-942120)

Answer 1

@Mohideen Ansari

Thank you for reaching out.

I understand you are trying to know how to best fix the false positive on the WAF rule Microsoft_DefaultRuleSet-2.1-SQLI-942120

Every WAF rule uses a regex pattern to match a rule. For Rule 942120 the regex pattern is used to detect any characters which can be used in SQL injection attack.

The best way to resolve false positives is to set-up exclusion.

One benefit of using an exclusion list is that only the match variable you select to exclude will no longer be inspected for that given request. That is, you can choose between specific request headers, request cookies, query string arguments, or request body post arguments to be excluded if a certain condition is met, as opposed to excluding the whole request from being inspected.

For more information about exclusion lists, see Azure Web Application Firewall with Azure Front Door exclusion lists.

Also to make an informed decision about handling a false positive, it's important to familiarize yourself with the technologies your application uses. For example, say there isn't a SQL server in your technology stack, and you're getting false positives related to those rules. Disabling those rules doesn't necessarily weaken your security.

You can through this document on how to understand WAF logs and how to set-up exclusions.

Please let me know if you have any question here. Thank you!