I have a REST API that uses JSON data. The Web-Application-Firewall (WAF) monitoring the traffic uses standard OWASP rules. One rule is blocking passwords that have caret characters.
e.g. leA^n12
I could base64-encode the password but I am wondering if there is a best-practice for JSON API data flowing through a WAF?
The OWASP rulesets are designed to be very strict out of the box, and to be tuned to suit the specific needs of the application or organization using WAF. It is entirely normal, and actually expected in many cases, to create exclusions, custom rules, and even disable rules that may be causing issues or false positives.
WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. A common example is Active Directory inserted tokens that are used for authentication or password fields. Such attributes are prone to contain special characters that may trigger a false positive from the WAF rules. Once an attribute is added to the WAF exclusion list, it isn't considered by any configured and active WAF rule. Exclusion lists are global in scope.
You can fix the the False Positive either by creating an Exclusion List or Disabling the rule.
Reference : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration#waf-exclusion-lists