Azure Web Application Firewall
An Azure service that provides protection for web apps.
329 questions
Need assistance to resolve waf rule " Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 7.000000000000001%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
Vipul Laxmikant Redkar
0
Reputation points
Hi
We need assistance in resolving an issue with the WAF while loading the following application URL. The web application is calling the API to load the application. Please find the URL and the error message below for reference. Please need assistance to solve this issuPossible Remote File Inclusion
URL : [/api/public/DomainOrganization?domain=https://amswebuat.XXXXX.a:443/?domain=https://amswebuat.XXXXX.a:445/ ]
Message:
(RFI) Attack: Off-Domain Reference/Link
Inbound Anomaly Score Exceeded (Total Score: 5)
{count} votes
-
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee2024-09-24T11:39:16.0466667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that your WAF is blocking a legitimate request.
- Can you please specify if this an App Gateway WAF or AFD WAF?
- In either case, what is the Managed RuleSet version you are using?
- See :
- And the exact rule number that is being hit?
Cheers,
Kapil
-
Vipul Laxmikant Redkar 0 Reputation points
2024-09-26T08:00:06.6566667+00:00 Hi Kapil,
Thank you for your response App Gateway WAF and rule version is 3.2
-
Vipul Laxmikant Redkar 0 Reputation points
2024-09-26T08:06:06.41+00:00 Hi Kapil,
Thank you for your response.
It's App gateway WAF
Rule Set Version is 3.2
Rule ID 931130 and 949110
-
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee
2024-09-26T08:23:52.2566667+00:00 Thanks for the info.
- And can you also share the complete error message from Firewall log
- Specifically for details.message
- Note that Rule 949110 cannot be disabled as it is a mandatory rule that gets triggered when the anomaly score meets the threshold
- See : Anomaly scoring
- It appears the other rule 931130 is the one actually causing the anomaly to increase.
In WAF, when you feel there is a false positive, you have three options
- Disable the rule
- Provided they are not mandatory rules.
- Create Exclusion List based on the matched parameters
- or create Custom rules to allow your requests.
Effectively, you have to tune your WAF to suit your application requirement.
Cheers,
Kapil
- And can you also share the complete error message from Firewall log
Sign in to comment
Sign in to answer