I guess this is one way of getting your ticket looked at...
"
At the moment the Azure Front Door WAF does not scan for XSS threats when the request going through FD is of content-type multipart. This was advised this is the case by the Microsoft Support team. For example, if I send the following request through Azure Front Door with OWASP DefaultRuleSet enabled on its WAF:
POST:
1 comment
[ 4.3 ms ] story [ 15.4 ms ] thread" At the moment the Azure Front Door WAF does not scan for XSS threats when the request going through FD is of content-type multipart. This was advised this is the case by the Microsoft Support team. For example, if I send the following request through Azure Front Door with OWASP DefaultRuleSet enabled on its WAF: POST:
content-type: multipart/form-data; boundary=----WebKitFormBoundaryriZKfNGOPKHI8rWO
Form Data: 958127ef-8053-4054-811e-49d54be8a09f: <script>alert('hello');</script>
The WAF does not detect the XSS threat simply because of the content-type.
This is fundamental to have in a service dedicated to protect backend systems. I am conscious this is currently being worked, however what is the ETA?
Thanks. "