问题描述
我正在Azure上运行一个asp.net Web应用程序,它前面有一个应用程序网关,启用WAF(Web应用程序防火墙).
I'm running a asp.net web application on Azure, I have an Application Gateway in front of it, enable the WAF (Web application Firewall).
但是我的许多前端HTTP请求都被WAF阻止,例如我的JSON负载:
But many of my http requests from the front-end are blocked by the WAF, for example my payload in JSON:
[{"inputtype":"text","name":"wwwwww","memo":"","score":1,"sort":1,"isrequired":false,"allowseeresult":false,"choicenummin":null,"choicenummax":null,"options":[]}]
错误消息是:
"message": "Warning. Pattern match \"((?:
[\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\ {\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>][^\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>]*?){12})\" at ARGS:questions.",
"data": "Matched Data: [{\\x22inputtype\\x22:\\x22text\\x22,\\x22name\\x22:\\x22who is it\\x22 found within ARGS:questions: [{\\x22inputtype\\x22:\\x22text\\x22,\\x22name\\x22:\\x22who is it\\x22,\\x22memo\\x22:\\x22\\x22,\\x22score\\x22:1,\\x22sort\\x22:1,\\x22isrequired\\x22:true,\\x22allowseeresult\\x22:false,\\x22choicenummin\\x22:null,\\x22choicenummax\\x22:null,\\x22options\\x22:[]}]",
"file": "rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
"line": "1002"
似乎有效载荷中不允许使用".
Seems that "" is not allowed in the payload.
我尝试使用htmlencode将"编码为&";"但是;"仍然被WAF阻止.
I tried to use htmlencode to encode the "" to "" ;"but the ";" still got blocked by WAF.
那么我应该如何编码我的有效载荷以避免它被阻塞?有什么建议吗?谢谢.
So how should I encode my payload to avoid it being blocked?Any recommendations? Thanks.
推荐答案
您只能做2件事1.禁用规则,2.使用排除列表,链接.
You can only do 2 things 1. Disable the rule, 2. Use an exclusion list, Link.
这篇关于Http请求被Azure WAF阻止,如何正确编码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!