False positive on 200004 MULTIPART_UNMATCHED_BOUNDARY

[elexisvenator]

Hi,

I have a .net application set up behind an Azure Application Gateway with WAF configured (owasp3.0).
When uploading files to this application I use the js File API to split the file into chunks, a common enough pattern. However, some of the chunks get blocked by the firewall (see below). This doesn't happen to all chunks but it is common enough that a 100mb file will probably encounter the issue.

I have created a barebones test website which reproduces the issue here: https://github.com/elexisvenator/AzureWAF-chunked-upload-test

I have contacted Microsoft support about this issue and while they acknowledge that the firewall is falsely blocking this request they are unwilling to disable this mandatory rule, citing that the rule is owned by a 3rd party (OWASP). They suggest that I ask here for the rule be revised.

I found a reference to MULTIPART_UNMATCHED_BOUNDARY in the ModSecurity reference manual that suggests that you should disable the rule if you get many false positives. Is this rule safe to disable if there are a large number of false positives? Should it be moved out of the 200* set of rules to make it easier to configure?

Thanks for any help you can provide

{
    "resourceId": "/SUBSCRIPTIONS/[sub]/RESOURCEGROUPS/[resource_group]/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/[applicaiton_gateway]",
    "operationName": "ApplicationGatewayFirewall",
    "time": "2017-06-28T23:26:21Z",
    "category": "ApplicationGatewayFirewallLog",
    "properties": {
        "instanceId": "ApplicationGatewayRole_IN_0",
        "clientIp": "IP ADDRESS",
        "clientPort": "0",
        "requestUri": "/api/File/Upload?resumableChunkNumber=8&resumableChunkSize=1048576&resumableCurrentChunkSize=1048576&resumableTotalSize=13411785&resumableType=application%2Fpdf&resumableIdentifier=068099c3-b1cd-7370-2176-29e843fa61dc&resumableFilename=NET-Microservices-Architecture-for-Containerized-NET-Applications-(Microsoft-eBook)%20(2).pdf&resumableRelativePath=NET-Microservices-Architecture-for-Containerized-NET-Applications-(Microsoft-eBook)%20(2).pdf&resumableTotalChunks=12",
        "ruleSetType": "OWASP",
        "ruleSetVersion": "3.0",
        "ruleId": "200004",
        "message": "Mandatory rule. Cannot be disabled. Multipart parser detected a possible unmatched boundary.",
        "action": "Blocked",
        "site": "Global",
        "details": {
            "message": "Access denied with code 403 (phase 2). Match of \"eq 0\" against \"MULTIPART_UNMATCHED_BOUNDARY\" required.",
            "data": "",
            "file": "",
            "line": ""
        }
    }
}

[dune73]

You are in a bad situation and I feel your pain.

The rule in question is recommended by the ModSecurity project (ModSecurity: The Engine), while you reported to the OWASP ModSecurity Core Rule Set project (The standard rules).
See here for the original recommendation: https://github.com/SpiderLabs/ModSecurity/blob/v2/master/modsecurity.conf-recommended

The rule depends on the MULTIPART_UNMATCHED_BOUNDARY variable of the engine which is not very good at detecting unmachted boundaries in multipart file uploads. This leads to false positives. It's a known problem and people usually disable the rule. Personally, I do not even include it in my configurations. See here for a brief discussion: https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/

The way to go is to at least disable the rule for your specific request.

Feel free to quote this message and to tell the support the author of the 2nd edition of the ModSecurity Handbook told you so.

Can you get me in touch with the Microsoft support? I would like to talk to them about their setup...

[elexisvenator]

Thanks dune73,

I have forwarded your response to Microsoft Support.

[elexisvenator]

For anyone who has this issue and stumbles across this thread, there is a Microsoft Feedback item you can track here: https://feedback.azure.com/forums/34192--general-feedback/suggestions/19773868-support-chunked-file-transfers-through-azure-appli