Azure WAF exclusion - (RFI) Attack

Question

I'm working on a WAF policy. Currently, the WAF is on detection mode and I've been creating exclusions and identifying false positives etc.

There is one rule I'm struggling to implement and it concerns RFI. Specifically this:

Rule ID: 931130
Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
Details message: Pattern match ^(?i:file|ftps?|https?)://(.)$; Begin With RequestHeaders:host at TX:rfi_parameter_..

Please see screenshot for an example in the logs.

rfi-example

Does anybody know how I can exclude this?

If tried this but no dice:

exclusion-detail

Cheers, Ben

did you ever solve this? i'm running into the same issue – OJ LaBoeuf Apr 04 '23 at 00:45 — OJ LaBoeuf, Apr 04 '23 at 00:45

score 0 · Answer 1 · answered Aug 26 '22 at 10:07

0

You may have already figured this out but this is to help some one else facing this issue. You can try - Req Args Name contains urlreferrer

answered Aug 26 '22 at 10:07

Arun

37
1
5

score 0 · Answer 2 · answered Apr 05 '23 at 08:08

We were able to resolve this with the help of Microsoft support. In our case the issue came down to the arg name being case-sensitive. You need to know the case the caller is using for the arg name, which if memory serves may differ from the case used in the log entry - unhelpful on all counts.

Azure WAF exclusion - (RFI) Attack

2 Answers2