5

I have an Azure App Service sitting behind an Azure App Gateway on the WAF v2 tier. We are experiencing an issue where we get the 403 Forbidden response from the gateway in some Chrome browsers, yet the site displays correctly from Chrome Incognito mode and works fine in IE and Edge.

And so Azure WAF is blocking traffic where for some install of Chrome (same version, not all), ruleID 980130 (Warning. Operator GE matched 5 at TX:inbound_anomaly_score) followed by the block with 949110 (Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score.). Both of those are not customizable, nor can be disabled.

And the details_data_S doesn't contain anything, hence so hard to find what is being matched!

I don't understand the reason behind this, as mentioned Credge or Firefox... work fine, also incognito mode in Chrome doesn't have any problem hence must be some weird plugin/addon.

Azure WAF doesn't include any information as to what is matched to trigger that rule. Microsoft Azure only points me to https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1.0/rules/RESPONSE-980-CORRELATION.conf

Have you seen this?

neuro
  • 14,948
  • 3
  • 36
  • 59
KitkatNeko
  • 51
  • 3
  • did you find a way to pass through this error (980130 and 949110)? – ironman Sep 09 '20 at 19:04
  • I'm facing the same issue. I have my app service behind a firewall, and the user is getting a 403. tried in multiple browsers, issue exists only in chrome. we cleared the storage for that application in chrome and it started working fine, we can't ask all the users to do this. This [link](https://learn.microsoft.com/en-us/answers/questions/1080424/how-to-disable-microsoft-defaultruleset-2-0-blocki) says we can't disable the rule. can we add any rule to by exclude this or is there a way to increase the anamoly score? – avayer Jun 14 '23 at 07:02

0 Answers0