How to fix Web API requests with FetchXml being blocked by Power Pages Web Application Firewal

After enabling the Web Application Firewall in a development Power Pages site, some developers reported that some web API queries using FetchXML stopped working, throwing a 403 error.

After running some tests to validate the issue, it turned out that WAF was detecting them as an attack. This blog post details how the query was written and what we need to do to fix it.

Troubleshooting

The first step was to identify what queries were failing. In the example below, the query that always worked fine suddenly stopped working after enabling WAF:

Opening the request in a new tab, we can see the request has been blocked (from what looks to be a WAF message):

So the first thought was to look at the WAF logs and see if there was any warning message (we can Download them from the WAF config section in Design Studio):

On the downloaded log, I could find information related to that request:

Looking at the message, one of the default rules from WAF blocked the request because the query had line breaks, and it considered it an attack!

The fix

Usually in the projects when we add FetchXML queries in code, we use a formatted string for visibility, and we use another custom JavaScript function from one library to strip out line breaks and whitespace from it (removing whitespace is good also to shorten the number of characters), but on those specific queries, the developer forgot to do it.

Here is the function:

function CleanFetchForWebAPI(fetchXml) {
  return fetchXml.replace(/\r?\n|\r/g, "").replace(/>\s+</g, '><');
}

So after cleaning the string and running again the same query, all worked fine:

Conclusion

Beyond encoding your FetchXML queries when using Power Pages Web API, always remember to remove line breaks from it.

This is a nice feature from WAF since it automatically starts blocking what it thinks is a malicious request once it’s enabled.

For example, if we try to send a string into the web API request with a possible XSS injection attack, it will also be automatically blocked:

References

Configure Web Application Firewall for Power Pages – Microsoft Learn

Leave a Reply

Your email address will not be published. Required fields are marked *