0

The Azure WAF can be configured to check the maximum size of a request like this:

wad screenshot

Anyway, besides having this configuration, any time we upload a file the WAF considers it as a "not file upload operation" and returns 413 "Request entity too large" if the file exceeds 128 Kb.

We are sending the POST request with what we think are the right headers:

Content-disposition: attachment; filename="testImage.jpg"
Content-Length: 2456088
Content-Type: image/jpeg

But it does not make a difference. Any idea why the WAF does not see this is a file upload and applies the Max file upload check instead of the Max request body size limit?

Ignacio Soler Garcia
  • 21,122
  • 31
  • 128
  • 207

2 Answers2

1

After several conversations with Microsoft we found that the WAF considers only file attachments if they are sent using multipart/form-data

Multipart example

If you send it this way the WAF will understand it is a file and thus will apply the limits configured for files instead than for bodies.

There is no other way to send files supported by the WAF for now.

Ignacio Soler Garcia
  • 21,122
  • 31
  • 128
  • 207
  • We came across the same challenge recently. Though documentation (https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits) suggests the same, did Microsoft mention why is it designed this way? I understand that multipart/form-data uses less space for binary data, possibly that is the reason but am unsure. I am unsure if this mechanism more secure. – Gaurav Jan 14 '23 at 02:45
  • 1
    It was due to time constraints on their side. All sending mechanisms are the same in terms of security imo. – Ignacio Soler Garcia Jan 15 '23 at 07:53
1

From documentation:

Only requests with Content-Type of multipart/form-data are considered for file uploads. For content to be considered as a file upload, it has to be a part of a multipart form with a filename header. For all other content types, the request body size limit applies.

Please note that filename header also needs to be present in request for WAF to consider it as file upload.

Augustas
  • 1,167
  • 21
  • 31