Azure's Front Door WAF WTF: IP Restriction Bypass

This report demonstrates an IP-restriction bypass in Azure Front Door WAF where the default 'RemoteAddr' match variable honors the X-Forwarded-For header, allowing attackers to impersonate allowed IPs and bypass access controls (and any subsequent OWASP rule checks when a custom rule matches). The author provides reproduction steps, brute-force testing details, detection tooling/PowerShell and GraphRunner checks, mitigation guidance (switch to 'SocketAddr' or combine both checks), and a disclosure timeline noting MSRC declined to change the behavior.