Laravel Livewire application hosted on an Azure server. We have enabled Azure Front Door Web Application Firewall (WAF) in Prevention mode. However, we are encountering an issue where requests from Livewire are being blocked by the WAF. The error message returned is:

The request is blocked.
20240611T070599L-r15646b4954ffzb75tbdwwms5c00000005dg00000000abcd
Details:
Azure Setup: We have configured Azure Front Door WAF in prevention mode to enhance security.
Error Message: The specific error message received from the server indicates a request being blocked due to suspected suspicious activity.
Livewire Request Example:
Request: {“_token”:”56B8efYCENB2X5t0u00C0DirE1myAllb34JGqjjy”,”components”:[{“snapshot”:”{“data”:{“showLoginInfo”:false,”showOTPVerify”:true,”email”:”[email protected]”,”is_resend_otp”:null,”generateOTP”:null,”verify_otp_code”:””,”device_token”:null,”isEmailSubmitting”:false,”passwordVisible”:false},”memo”:{“id”:”X4eKX7VMoOT4SbU9B4Nv”,”name”:”auth.login”,”path”:”/”,”method”:”GET”,”children”:[],”scripts”:[],”assets”:[],”errors”:[],”locale”:”en”},”checksum”:”3pk04241276cec0bc49097d0599e857856c58de6cf408112647199bf2a0fb9k3″}”,”updates”:{“verify_otp_code”:”123456″},”calls”:[{“path”:””,”method”:”verifyOtp”,”params”:[]}]}]}
According to the server team, the request is being flagged by the firewall rules as suspicious, specifically triggering a rule associated with SQL injection (sqli) patterns. The WAF log indicates the rule in question is related to the OWASP ModSecurity Core Rule Set (CRS), particularly regexp-942200.

Reference link: regexp-942200

Here are some details of the regular expressions causing the issue:

sqli rulerevision: disassembling sqli rules
,.*?[)da-f”‘]["'][“‘].*?["']

RE2 compatibility for 942200 (#1461)
,.*?)da-f”‘]["'?z

sqli rulerevision: disassembling sqli rules
,.?[)da-f”‘]["'][^”‘`]+
Wselect.+W?from
selects*?(s*?spaces*?(
creates*?(s*?spaces*?(
renames*?(s*?spaces*?(
truncates*?(s*?spaces*?(
loads*?(s*?spaces*?(
alters*?(s*?spaces*?(
deletes*?(s*?spaces*?(
updates*?(s*?spaces*?(
inserts*?(s*?spaces*?(
descs*?(s*?spaces*?(

Concerns:
Suspicious Activity: The Azure support team mentioned that the request was blocked due to suspicious activity, but we are not creating any manual requests. All requests are automatically generated by Livewire.
Firewall Rules: We understand that disabling rules one by one could help identify the issue, but this may pose security risks.
We identified that the requests are being blocked due to suspected SQL injection patterns.
The recommended solution to disable the rules one by one poses a security risk and is not a viable option.
Questions:
Livewire Request Structure: Is there anything in the structure of Livewire requests that might be flagged as suspicious by security systems such as Azure Front Door WAF?
Error Handling: Has anyone encountered similar issues, and if so, how were they resolved?
Could you provide any insights on why Livewire requests might be triggering these specific WAF rules?
Are there any known issues or configurations in Livewire that could lead to such false positives?
Any guidance or suggestions to resolve this issue would be greatly appreciated.

Thank you for your assistance.