WAF-Policy-custom-rules/ #5
Description
Bypassing custom rules using the RequestHeaders match variable in WAF v2 – Stefan Ivemo – A blog about Microsoft Azure, Microsoft 365 and other tech stuff.
I had a case the other day where a custom rule in a Web Application Firewall v2 policy attached to an Application Gateway behaved kind of funky. The rule was setup to deny traffic if a specific request header in the HTTP request was not present. At first everything looked good but after a while I still noticed that some unwanted traffic was hitting my backend service. After some testing and investigation, I came up with the following. Thanks @SimonWahlin for the support!