Jump to content


Photo

WAF still block method DELETE although allowed DELETE method in URL Protection or URL Profile !

#waf #deletemethod #blocked

  • Please log in to reply
1 reply to this topic

#1 Mikel

Mikel
  • Members
  • 3 posts

Posted 12 November 2019 - 11:28 PM

Dear all bro, we are facing problem with out Baracuda WAF 960 (firmware version v10.0.0.010)

The WAF blocks method DELETE and recommend a fix:

 

The request used the method DELETE which is not in the list of Allowed Methods defined in the Security Policy under URL Protection,or in the list of Allowed Methods in the URL profile that matched by the URL /chatserver/api/ChatConfig/12.

 

Create a new URL Profile for URL /chatserver/api/ChatConfig/12 and add the method DELETE for the website ....

 

we have fixed as the recommendation, and retry. But is still error and this time: there are no Web Application Firewall DENY Log but in Access Log, there are still the log: 405 - Method not Allowed.

 

Note that if we connect directly to the web server, everything will be OK.

 

So could anyone face the same issue? I really appreciate for your help :)



#2 aravindan a

aravindan a
  • Barracuda Team Members
  • 79 posts

Posted 28 November 2019 - 05:10 AM

Hi,

 

By any chance, do you have JSON Security turned on, and does the request come in with the "Content-Type: application/json" header? In such a case, the WAF will  process the request as per the JSON profile, where DELETE may not be part of the allowed request.







Also tagged with one or more of these keywords: #waf, #deletemethod, #blocked