I'm working with an ASP.NET web application that's secured by Azure Application Gateway with WAF enabled. I keep encountering an issue where Azure WAF blocks legitimate user input in address fields. For instance, a client from Bulgaria submitted an address containing the character '№', which is perfectly valid, but it gets flagged as suspicious by the WAF. This means I have to remove it manually, which isn't ideal since such characters are integral to actual addresses. This problem extends to other characters typical of Bulgarian keyboards, like certain quotation marks. I've seen discussions suggesting that to address this, one could either disable the rule or add exclusions. However, I do not want to disable fundamental injection rules globally just for one field. How can I effectively encode user input to include characters like '№' or Bulgarian quotes without triggering WAF blocks and without resorting to rule disablings or character removals?
2 Answers
Yeah, I've faced a lot of issues with Azure WAF causing false positives. We ultimately switched to Cloudflare, which has better detection capabilities, but it does introduce another layer of dependency that isn't ideal. At this point, I might end up disabling the problematic rules because that's the only practical workaround I've found.
The root of the issue is that Azure WAF employs Azure-specific rules that differ from the original OWASP ones. You can enable logging to pinpoint what's causing the block, but the modified rules aren't accessible for reference. I've shifted to using Nginx Ingress Controller in AKS to implement the original OWASP rules. However, this is only a temporary solution since it won't be supported after April 2026, and no open source WAF for Gateway API exists yet. In the meantime, guessing which rule is causing the block from logs seems like the best bet and potentially disabling that specific rule might be the only way forward.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads