We have an asp.net mvc application hosted in azure app service. The WAF policy on application gateway is blocking a post request with the "403 Forbidden" error. On firewall log, we see below error captured.
{
"timeStamp": "2023-07-25T04:19:52+00:00",
"resourceId": "XXXX",
"operationName": "ApplicationGatewayFirewall",
"category": "ApplicationGatewayFirewallLog",
"properties": {
"instanceId": "appgw_0",
"clientIp": "XXXX",
"requestUri": "/Account/ForgotPassword",
"ruleSetType": "OWASP CRS",
"ruleSetVersion": "3.2",
"ruleId": "920160",
"ruleGroup": "REQUEST-920-PROTOCOL-ENFORCEMENT",
"message": "Content-Length HTTP header is not numeric.",
"action": "Matched",
"details": {
"message": "Pattern match ^\\d+$ at REQUEST_HEADERS:content-length.",
"data": "2",
"file": "REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line": "130"
},
"hostname": "dev.abc.com",
"transactionId": "3d76839b7988f5963773b6016e3098d5",
"policyId": "133#_subscriptions_c0978b9d-b809-45f4-aa76-391ceb2cfdba_resourceGroups_XXX_1_providers_Microsoft.Network_ApplicationGatewayWebApplicationFirewallPolicies_WAF-azuswa1easasdfe318",
"policyScope": "Global",
"policyScopeName": "Global",
"engine": "Azwaf"
}
}I inspected the post request in Network tab & I see a valid content-length header. So, I am unaware of why this traffic is blocked on gateway & what is workaround for this other than disabling the particular rule.
