I have an Azure App Service sitting behind an Azure App Gateway on the WAF v2 tier. We are experiencing an issue where we get the 403 Forbidden response from the gateway in some Chrome browsers, yet the site displays correctly from Chrome Incognito mode and works fine in IE and Edge.
And so Azure WAF is blocking traffic where for some install of Chrome (same version, not all), ruleID 980130 (Warning. Operator GE matched 5 at TX:inbound_anomaly_score) followed by the block with 949110 (Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score.). Both of those are not customizable, nor can be disabled.
And the details_data_S doesn't contain anything, hence so hard to find what is being matched!
I don't understand the reason behind this, as mentioned Credge or Firefox... work fine, also incognito mode in Chrome doesn't have any problem hence must be some weird plugin/addon.
Azure WAF doesn't include any information as to what is matched to trigger that rule. Microsoft Azure only points me to https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1.0/rules/RESPONSE-980-CORRELATION.conf
Have you seen this?
