I have an application that was doing call to Azure Application Gateway and it was failing when the following rule was enforced:
RuleId: 200003 Description: Multipart Request Body Strict Validation
The call was to a PUT endpoint, passing 2 files in the body. Disabling this rule makes the call work. Can't find a proper description about this rule. Just wondering if someone could provide more info about it? Is it safe to disable it?
I had this issue and MS support response was this is a bug and to disable the rule. See their response below.
I went through the WAF logs, and it seems we are hitting rule 200003 matching your request.
After investigation, there is basically a bug with this rule that is a new multipart formatting body check in 3.2. (it was only added a couple weeks ago). What our expert says about is the following:
“This rule it's looking at the stream of the file and trying to determine if the formatting of the multipart request is valid. If it thinks it's not, the body check fails and the rest of the request can't be scanned. This particular rule causes a lot of false positives and should be disabled if that is the case here.
The 200002/200003/200004 family of rules are very difficult to workaround because they are looking at the formatting of the request, however, how the request is formatted is almost impossible to predict because the streaming of a file this way get encoded into a bunch of random chars, and if those chars break the typical formatting boundaries of a multipart request these rules will trigger. But.. since you can't predict how a file will get encoded during a stream, it's almost impossible to "fix" from a code /request level. Disable the rule the profit.“