
XSS Exploit on Azure's Community support portal - jasongi
https://azure.microsoft.com/en-au/support/community/
======
jasongi
I guess this is one way of getting your ticket looked at...

" At the moment the Azure Front Door WAF does not scan for XSS threats when
the request going through FD is of content-type multipart. This was advised
this is the case by the Microsoft Support team. For example, if I send the
following request through Azure Front Door with OWASP DefaultRuleSet enabled
on its WAF: POST:

content-type: multipart/form-data;
boundary=----WebKitFormBoundaryriZKfNGOPKHI8rWO

Form Data: 958127ef-8053-4054-811e-49d54be8a09f:
<script>alert('hello');</script>

The WAF does not detect the XSS threat simply because of the content-type.

This is fundamental to have in a service dedicated to protect backend systems.
I am conscious this is currently being worked, however what is the ETA?

Thanks. "

