We have recently seen an issue where the OWASP rules were uplifted to 3.2 and data is no longer returned on any screens in the application.
How have others got around this issue?
Feedback from the network engineer (a 3rd party) was as follows;
“It was necessary to make a change to the Azure Application Gateway Firewall as the Firewall was running version 2.2.9 of OWASP (Open Web Application Security Project) no longer supported by Microsoft. OWASP upgraded to version 3.2 to implement the required fix and initial testing connecting to the IFS login page showed no errors, with no issues immediately reported.
The latest version of OWASP 3.2 includes new protective features over the older version.
The coding of IFS application and the way it operates resulted in selected OWASP filters detecting the IFS application operations as an attack resulting in block actions, which caused sections of the IFS application to fail in displaying data to the user. As a result of the blocks, it was necessary to monitor the Application Gateway Firewall logs to identify the OWASP filters generating a block response against a valid IFS application action. These filters where then disabled to allow that section of the IFS application to work.”
Any pointers would be greatly appreciated.