Request blocked on azure waf when form fields have values as json strings

Question

I have a form which has some input fields. Some of the input fields have json strings as values like

[{"actionItems":"1","actions":"Go To Home","articleLink":""}, 
{"actionItems":"2","actions":"Rollback","articleLink":""}]

But when I submit this the request gets blocked on azure WAF and gives 403. While the other forms that do not have json string as values are submitted successfully. Can someone suggest workaround for this.

Is the data being submitted using `
` or programatically with JS? — haim770, Aug 17 '20 at 07:40

score 5 · Answer 1 · answered Aug 17 '20 at 09:36

I assume the reason WAF is filtering your request is because it detects a JSON payload while the Content-Type of the request is not application/json.

(The full list of rules is available here. From what I can see, such scenario can match multiple rules. My guess is 920120, 920121 and 920341)

You can either:

URLEncode the data in your <input>
Add a custom rule to disable WAF for the URL you're POSTing to
Globally disable some of the rules that affecting this particular case
Use JavaScript to programatically issue the request then set the Content-Type header to application/json.

Request blocked on azure waf when form fields have values as json strings

1 Answers1