Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WAF-Policy-custom-rules/ #5

Open
utterances-bot opened this issue Aug 18, 2022 · 1 comment
Open

WAF-Policy-custom-rules/ #5

utterances-bot opened this issue Aug 18, 2022 · 1 comment

Comments

@utterances-bot
Copy link

Bypassing custom rules using the RequestHeaders match variable in WAF v2 – Stefan Ivemo – A blog about Microsoft Azure, Microsoft 365 and other tech stuff.

I had a case the other day where a custom rule in a Web Application Firewall v2 policy attached to an Application Gateway behaved kind of funky. The rule was setup to deny traffic if a specific request header in the HTTP request was not present. At first everything looked good but after a while I still noticed that some unwanted traffic was hitting my backend service. After some testing and investigation, I came up with the following. Thanks @SimonWahlin for the support!

https://blog.ivemo.se/WAF-Policy-custom-rules/
@zevsst utterances
Copy link

zevsst commented Aug 18, 2022

Oh, man! I came up with the same workaround but it totally bypasses WAF managed rules if you have some...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zevsst @utterances-bot