1 comment

[ 4.3 ms ] story [ 15.4 ms ] thread
I guess this is one way of getting your ticket looked at...

" At the moment the Azure Front Door WAF does not scan for XSS threats when the request going through FD is of content-type multipart. This was advised this is the case by the Microsoft Support team. For example, if I send the following request through Azure Front Door with OWASP DefaultRuleSet enabled on its WAF: POST:

content-type: multipart/form-data; boundary=----WebKitFormBoundaryriZKfNGOPKHI8rWO

Form Data: 958127ef-8053-4054-811e-49d54be8a09f: <script>alert('hello');</script>

The WAF does not detect the XSS threat simply because of the content-type.

This is fundamental to have in a service dedicated to protect backend systems. I am conscious this is currently being worked, however what is the ETA?

Thanks. "