Applies To:

Show Versions Show Versions

Manual Chapter: Working with Parameters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Parameters are an integral entity in any web application. When you define wildcard or explicit parameters in a security policy, you are increasing the security of the web application. Application Security Manager evaluates defined parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. The system verifies the parameters that you configure in a security policy.
You can define parameters as global parameters, URL parameters, and flow parameters. For information on configuring global parameters, see Working with global parameters. For information on configuring URL parameters, see Working with URL parameters. For information on configuring flow parameters, see Working with flow parameters.
You can create parameters containing different value types: static content, dynamic content, dynamic parameter name, user-input, JSON, or XML value. You can also create parameters for which the system does not check or verify the value. You can configure a global, URL, or flow parameter as any value type. Refer to Understanding parameter value types, for more information.
When you create any type of parameter, the system automatically places the parameter in staging and does not block requests even if a violation occurs and the system is configured to block that violation. The system makes learning suggestions that you can accept or clear (see Chapter 12, Refining the Security Policy Using Learning). If you create wildcard parameters, you also have the option of enabling tightening.
This chapter discusses configuring explicit parameters. In Application Security Manager, you can also use wildcards for parameters. Refer to Configuring wildcard parameters, for more information.
If a parameter is defined more than once in the request context, the system applies only the more specific definition. For example, the parameter param_1 is defined as a static content global parameter, and also defined as a user-input URL parameter. When the Application Security Manager receives a request for the parameter in a URL and the parameter is defined on both the global and URL level, the system generates any violations based on the URL parameter definition.
Global parameters are those that do not have an association with a specific URL or application flow. The advantage of using global parameters is that you can configure a global parameter once, and the system enforces the parameter wherever it occurs.
When you first create a global parameter, the system automatically places the parameter in staging and does not block requests even if a violation occurs and the system is configured to block violation. The system makes learning suggestions that you can accept or clear (see Chapter 12, Refining the Security Policy Using Learning). If you create wildcard global parameters, you also have the option of enabling tightening.
You want the Application Security Manager to enforce the same parameter attributes across all parameters.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
Click the Create button.
The Add Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the field, type a unique parameter name.
If you select Wildcard, then in the field, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Global.
6.
If you want the parameter to be in staging, for the Perform Staging setting, leave the Enabled check box selected.
7.
If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, disable the Perform Staging setting, and then enable the Perform Tightening setting.
Note: F5 Networks does not recommend using both tightening and staging at the same time on the same wildcard entity.
9.
To allow users to send a request that contains multiple parameters with the same name, for the Allow Repeated Occurrences setting. select the Enabled check box. The default setting is disabled.
10.
If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable the Sensitive Parameter setting.
11.
From the Parameter Value Type list, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter value types, for information on parameter types and additional settings that are associated with them.
12.
Click the Create button to add the new global parameter to the security policy.
The screen refreshes, and displays the new global parameter.
13.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
At times, you may want to update the characteristics of a global parameter. This is easily done by editing the parameter properties.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, select the global parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
You define parameters in the context of a URL when a parameter is relevant to that particular URL, and you do not want the system to also verify the URLs associated flows. That is, you can use a URL parameter when it does not matter where users were before they access this URL or whether the parameter was in a GET or POST request.
Defining a parameter as a URL parameter allows you to control one or all of the parameters associated with that URL, and allows users to create exceptions, if needed, to wildcard or other global definitions. When you define a URL parameter, the system applies the security policy to the parameter attributes in the context of the associated URL, and ignores the flow information.
Note that when you first create a URL parameter, the system places the parameter in staging by default and does not block requests even if a violation occurs and the system is configured to block the violation. The system makes learning suggestions that you can accept or clear (see Chapter 12, Refining the Security Policy Using Learning). If you create wildcard URL parameters, you also have the option of enabling tightening.
When you create a parameter that is associated with a URL, the system verifies the parameter in the context of the URL.
Note: The prerequisite for this task is that the security policy already includes the URL for which you want to add a parameter. If the security policy does not yet include the URL, refer to Configuring URLs, for information on adding a URL to the configuration.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The Add Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the field, type a unique parameter name.
If you select Wildcard, then in the field, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select URL Parameter.
The screen refreshes and displays the URL Path option.
For the URL Path option, select a protocol from the list, and then type the URL in this format:
When you begin to type a URL, the system lists all URLs that include the character you typed, and you can select a URL from the list.
6.
If you want the parameter to be in staging before being enforced, for the Perform Staging setting, leave the Enabled check box selected.
7.
If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, disable the Perform Staging setting, and then enable the Perform Tightening setting.
Note: F5 Networks does not recommend using both tightening and staging at the same time on the same wildcard entity.
9.
To allow users to send a request that contains multiple parameters with the same name, for the Allow Repeated Occurrences setting. select the Enabled check box. The default setting is disabled.
10.
If you want to treat the parameter you are creating as a sensitive parameter (not visible in logs or the user interface), enable the Sensitive Parameter setting.
11.
From the Parameter Value Type list, select the format for the parameter value.
Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter value types, for information on parameter types and additional settings that are associated with them.
12.
Click the Create button to add the new URL parameter to the security policy.
The screen refreshes, and displays the new URL parameter.
13.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Web applications can change over time, and there may be occasions when you want to delete a parameter from the security policy.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, select the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
You define parameters in the context of a flow when it is important to enforce that a target URL receives a parameter from a specific referrer URL. Defining a parameter in the context of a flow is the most specific context, and thus provides the tightest definition for the web application.
When you first create a flow parameter, the system automatically places the parameter in staging and does not block requests even if a violation occurs and the system is configured to block the violation. The system makes learning suggestions that you can accept or clear (see Chapter 12, Refining the Security Policy Using Learning). If you create wildcard flow parameters, you also have the option of enabling tightening.
When you create a parameter that is associated with a flow, the system verifies the parameter in the context of the flow (see Configuring flows, for more information). For example, if you define a parameter in the context of a GET request, and a client sends a POST request that contains the parameter, the system generates an Illegal Parameter violation.
You can define flow parameters for very tight, flow-specific security. With this increased protection comes an increase in maintenance and configuration time. Note that if your web application uses dynamic parameters, you manually add those to the security policy.
The following task starts after the flow for which you want to create a parameter is configured. If the security policy does not include the flow, refer to Configuring flows, for information on adding a flow to the configuration.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
Click the Create button.
The Add Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the field, type a unique parameter name.
If you select No Name, the system creates a parameter with the label, UNNAMED.
If you select Wildcard, then in the field, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
5.
For the Parameter Level setting, select Flow.
The screen refreshes and displays flow detail settings.
6.
In the Parameter Level setting, for the From URL option:
If the source URL is a referrer URL (the referrer URL must already be defined in the policy), click URL Path, select the protocol used to request the URL, then type the referrer URL associated with the flow.
7.
In the Parameter Level setting, for the Method setting, select the HTTP method (GET or POST) that applies to the target URL (the referrer URL must already be defined in the policy).
8.
If you specified a referrer URL for the From URL option, then in the Parameter Level setting, for the To URL option, specify the target URL.
9.
If you want the parameter to be in staging before it gets enforced, for the Perform Staging setting leave the Enabled check box selected.
10.
If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, disable the Perform Staging setting, and then enable the Perform Tightening setting.
Note: F5 Networks does not recommend using both tightening and staging at the same time on the same wildcard entity.
11.
If the parameter is required in the context of the flow, enable the Is Mandatory Parameter setting. Note that only flows can have mandatory parameters. (See Allowing multiple occurrences of a parameter in a request, for more information.)
13.
To allow users to send a request that contains multiple parameters with the same name, enable the Allow Repeated Occurrences setting. The default value is disabled.
14.
If you want to treat the parameter you are creating as a sensitive parameter (not visible in logs or the user interface), enable the Sensitive Parameter setting.
15.
From the Parameter Value Type list, select the format to use for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter value types, for information on parameter types and additional settings that are associated with them.
16.
Click the Create button to add the new flow parameter to the security policy.
The screen refreshes, and displays the new flow parameter.
17.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
At times, you may want to update the characteristics of a flow parameter. This is easily done by editing the parameter properties.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, select the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Parameter characteristics define the individual attributes of the parameter. The parameter characteristics change depending on the type of parameter that you specify.
When you add a parameter to the security policy, you specify the parameter value type. The system can then tell in what form to expect the parameter value, and it applies the security policy accordingly.
You can configure global parameters, URL parameters, and flow parameters as any parameter type, except the dynamic parameter name type. You can configure only flow parameters as dynamic parameter names.
Table 9.1 describes the parameter value types.
Dynamic parameters are those whose set of values can change, and are often linked to a user session. When you create a new parameter of this type, you are prompted to define dynamic parameter extraction properties. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions. For more information, see Configuring dynamic content value parameters.
Static parameters are those that have a known set of values. A list of country names or a yes/no form field are both examples of static parameters. If you select this type, you add or remove static values for the parameter. For more information, see Configuring static parameters.
Some flow parameters have names that change dynamically. If so, you can use this parameter type. If you select this type, you also need to specify the URL from which the system should extract dynamic parameter name parameters. For more information, see Configuring parameter characteristics for dynamic parameter names.
User-input parameters are those that require users to enter or provide some sort of data. This is the most commonly used parameter value type. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range of values or many static values, you may want to configure the parameter as a user-input parameter instead of as a static content parameter. For more information, see Configuring parameter characteristics for user-input parameters.
XML parameters are those whose parameter value contains XML data. For more information, see Associating an XML profile with a parameter.
Static parameters are parameters that can contain values from a specific set. For example, a credit card type parameter, for payment in a shopping application, may have the value set of MasterCard®, Visa®, and American Express®. When you configure static parameters, you are basically creating a value set for the parameter.
2.
For the Parameter Value Type setting, select Static content value.
The screen refreshes and displays the Parameter Static Values area.
3.
In the Parameter Static Values area, in the New Static Value field, type a value for the parameter.
4.
Click the Add button to add the value to the Parameter Static Values list.
6.
Click the Create button to save the parameter in the configuration.
7.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
User-input parameters are those for which the user can provide a value. For user-input parameters, you can configure the Application Security Manager to verify minimum and maximum values, minimum and maximum lengths, and valid meta characters. It is particularly useful to configure a parameter as a user-input parameter if you want the system to verify parameter values using broad validations, such as minimum and maximum value or maximum length.
By default, the system looks for attack patterns within all user-input alpha-numeric parameters. For each parameter, you can enable or disable a specific attack signature.
User-input parameters can accept many different data types. The data types are: alpha-numeric, binary, decimal, email, integer, and phone. Depending on the data type that you configure, the system can verify additional options, as noted in the following sections.
The alpha-numeric data type specifies that the parameter value can have letters, integers, and the underscore character in it. For this data type, you can specify a maximum length, and you can define the acceptable parameter values as a regular expression. You can also specify one or more meta characters (in addition to the base character set of a-z, A-Z, 0-9), and one or more regular expressions, that are acceptable within the context of the parameter.
Note: If you enable regular expressions for an alpha-numeric parameter, it results in a mismatch that generates a Parameter value does not comply with regular expression violation.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, use the default value, Alpha-Numeric.
To enforce a maximum length (number of bytes) for the parameter value, for Maximum Length select Value, and type a number.
To enforce the parameter value using pattern matching, enable the Regular Expression setting, and type a regular expression.
Note: When you enable this setting, the only values acceptable for the parameter are those that exactly match the regular expression pattern that you provide. All other values are considered illegal for this parameter.
4.
If you want to make certain meta characters valid, or not valid, as part of the parameter value (and override the global meta character settings), click Value Meta Characters.
Make sure that the Check characters on this parameter value check box is selected.
The screen displays the global and overridden meta character settings for this parameter.
From the Global Security Policy Settings list, select any meta characters that you want to assign to the parameter value, and click the Move button (<<) to add them to the Overridden Security Policy Settings list.
The screen displays the meta characters and the default state for each.
In the Overridden Security Policy Settings list, change the meta character state as required.
Select Allowed when the meta character can be in the parameter value.
Select Disallowed when the meta character cannot be in the parameter value, and may trigger the Illegal meta character in value violation.
5.
If you want to make certain known attack patterns valid, or not valid, as part of the parameter value, click Attack Signatures.
Make sure that the Check attack signatures on this parameter check box is selected.
The screen displays the attack signature settings that are available or assigned to this parameter.
From the Global Security Policy Settings list, select any attack signatures that you want to assign to the parameter value, and click the Move button (<<) to add them to the Overridden Security Policy Settings list.
The screen displays the attack signatures and the default state for each.
In the Overridden Security Policy Settings list, change the attack signature state as required. Note that the state that you select may override the state that is assigned at the attack signature set level.
Select Disabled when the parameter value can match the attack signature.
Select Enabled when the parameter value cannot match the attack signature.
6.
Click the Create button to add the parameter to the configuration.
7.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The file upload data type specifies that the parameter value is data for which the system does not verify meta characters or attack. Typically, you use this data type for binary file uploads. Note that for this data type, you specify a maximum length. Additionally, since most web applications do not legitimately allow uploading of binary executable code, you can block such file type by enabling the Disallow File Upload of Executables option.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select File Upload.
4.
To enforce a maximum length (number of bytes) for the parameter value, select Maximum Length, and either select Any or Value and type a number.
5.
To enable the Disallow File Upload of Executables so that a violation is added to detect uploading of binary executable file types, select the Disallow check box. The default is On.
6.
Click the Create button to add the parameter to the configuration.
7.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The decimal data type specifies that the parameter value is numeric, and can include integers and decimals only. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Decimal.
4.
If you want to enforce a minimum value for the parameter, select the Check Minimum Value check box, and type a number.
5.
If you want to enforce a maximum value for the parameter value, select the Check Maximum Value check box, and type a number.
6.
If you want to enforce a maximum length (number of bytes) for the parameter value, for Maximum Length select Value, and type a number.
7.
Click the Create button to add the parameter to the configuration.
8.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The email data type specifies that the parameter value is in the email address format. Values for this data type can include letters, numbers, the at meta character (@), the period (.) character, and the underscore (_) character. For this data type you can specify only a maximum length.
Note: F5 Networks recommends that you use the email data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Email.
4.
If you want the system to enforce a maximum length (number of bytes) for the parameter value, for Maximum Length select Value, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The integer data type specifies that the parameter value is numeric, and can include only whole numbers. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Integer.
4.
If you want the system to enforce a minimum value for the parameter value, select the Check Minimum Value check box, and type a number.
5.
If you want the system to enforce a maximum value for the parameter value, select the Check Maximum Value check box, and type a number.
If you want the system to enforce a maximum length (number of bytes) for the parameter value, for Maximum Length select Value, and type a number.
6.
Click the Create button to add the parameter to the configuration.
7.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The phone data type specifies that the parameter value is in the phone number format. Values for this data type can include numbers, the hyphen meta character (-), and the parentheses meta characters [( )]. For this data type you can specify only a maximum length.
Note: F5 Networks recommends that you use the phone data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
On the Data Type tab, for the Data Type setting, select Phone.
If you want to enforce a maximum length (number of bytes) for the parameter value, for Maximum Length select Value, and type a number.
4.
Click the Create button to add the parameter to the configuration.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The Allow Empty Value setting specifies whether the system expects the parameter to have a defined value. When this setting is enabled on a parameter (which is the default setting), the system does not generate an Illegal empty parameter value alert if a client request does not provide a value. Conversely, if the Allow Empty Value setting is disabled, the system generates the Illegal empty parameter value alert if a client request does not provide a value. The Allow Empty Value setting applies to all types of parameters.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
For the Allow Empty Value setting, select the Enabled check box.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
By sending several occurrences of the same parameter in a single request, an attacker can cause unexpected behavior on an application server. This type of attack, called HTTP parameter pollution, can be used for web application firewall evasion (and can allow smuggling attacks through intrusion prevention signature matching engines).
Since most web applications do not expect parameters to appear several times in requests, such behavior is not allowed, by default. Therefore, when a request contains multiple occurrences of the same parameter, the system generates an Illegal repeated parameter name violation (if that violation is set to Alarm or Block). If the violation occurs, the system provides a learning suggestion that you can review to decide whether to allow repeated occurrences of the parameter. You can also enable the Allow Repeated Occurrences setting by editing parameter properties.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter that you want to edit.
The Parameter Properties screen opens.
4.
For the Allow Repeated Occurrences setting, select the Enabled check box.
5.
Click the Update button.
The system saves the changes, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
You can have the security policy limit the maximum number of parameters allowed in requests. A request that contains more parameters than allowed by the security policy is a possible attack on the server.
1.
On the Main tab, expand Application Security, point to Policy, Blocking, then click HTTP Protocol Compliance.
2.
Select the HTTP Validation option Check maximum number of parameters, then type the maximum number of parameters to allow in a request. The default is 500 parameters.
3.
Click Save.
4.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The Is Mandatory Parameter setting specifies whether a parameter must be present in a flow.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the flow parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
For the Is Mandatory Parameter setting, select the Enabled check box.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
XML parameters contain XML data in the parameter value. To perform checks on the XML data, you associate an XML profile with the XML parameter. For details on configuring XML profiles, refer to Chapter 11, Protecting XML Applications.
2.
For the Parameter Value Type setting, select XML value.
The screen refreshes and displays additional settings.
3.
For the XML Profile setting, perform the appropriate task:
If you have not created an XML profile, click the Create button (+) next to XML Profile to create one. For details about creating XML profiles, refer to Chapter 11, Protecting XML Applications.
4.
Click the Create button.
The screen refreshes and you see the parameter in the list.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
JSON parameters are parameter that can contain JSON data. To perform checks on the JSON data, you associate a JSON profile with the JSON parameter. The system validates JSON data found in requests to this parameter based on the settings you configured in the JSON profile. Refer to BIG-IP® Application Security Manager: Implementations for information about JSON profiles.
2.
For the Parameter Value Type setting, select JSON value.
The screen refreshes and displays additional settings.
3.
For the JSON Profile setting, perform the appropriate task:
If you have not created a JSON profile, click the Create button (+) next to JSON Profile to create one.
4.
Click the Create button.
The screen refreshes and you see the parameter in the list.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
When you configure a dynamic parameter, you also configure the extraction properties for the parameter values. The extraction properties define from where to extract the dynamic parameter values or name, and which method or methods to use for the extraction. When the Application Security Manager receives a request that contains an entity (for example, a file extension or URL) containing a dynamic parameter, the system uses the extraction properties to collect the parameter value or name from web applications response to the request. Once the system has extracted the dynamic parameter values, the system knows what to enforce the next time a request contains the dynamic parameter.
Dynamic content value (DCV) parameters are those for which the web application sets the value on the server side. When you configure a DCV parameter in the Application Security Manager, the system verifies that the client is not changing the parameter value, as set by the server, from one request to the next. For example, in an auction application, you might configure the price parameter as a DCV parameter to keep users from tampering with the price.
DCV parameters are often associated with web applications that use sessions. Each user of these applications has unique identifiers, and those identifiers may also change. As a result, the parameters in the web application that identify the user have dynamic content values. As an example, user identity is often passed between pages as a hidden parameter, which could be exploited by malicious users.
When you configure a DCV parameter, you also configure the extraction properties for the parameter values. The extraction properties specify the manner in which the Application Security Manager discovers and populates the values for the DCV parameter.
By default, the system retains all of the values that it finds for a DCV parameter unless the number of values exceeds 950. When that is the case, the Application Security Manager replaces the first-extracted values with new values. When there are fewer than 950 values, the system does not replace the values it knows about when it extracts a new value.
2.
For the Parameter Value Type setting, select Dynamic content value.
3.
Click the Create button.
A popup screen opens asking if you want to define extractions.
4.
Click OK.
The Create New Extraction screen opens. The Name setting shows the name of the parameter you created.
5.
From the Extracted Items Configuration list, select Advanced, and then specify from where you want the system to extract the dynamic parameter values.
For more information on this setting, see Understanding the extracted items configuration.
6.
From the Extraction Methods Configuration list, select Advanced, and then specify the method or methods that you want the system to use to extract the dynamic parameter values.
For more information on this setting, see Understanding the extraction methods configuration.
7.
Click the Create button to add the extraction properties to the parameter.
8.
Click the Update button to update the parameter settings.
9.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Note: You should define the extractions for a DCV parameter before you apply the security policy that includes the parameters. Otherwise, when you apply the security policy, the system warns you that the security policy contains dynamic parameters that do not have extractions defined.
When you create an extraction for a dynamic parameter, one aspect of the extraction is configuring where, in the responses of request objects, the system searches for the dynamic parameter. You can configure the system to extract the dynamic parameter values from file types, URLs, and by using pattern matching. Alternately, you can configure the system to extract dynamic parameter values from all items. Table 9.2 describes the extracted items settings.
Use this setting when you want the system to extract dynamic parameters from files of a certain type. Note that the available file types are those that are already a part of the security policy.
Use this setting when you want the system to extract dynamic parameters that match a regular expression pattern. Note that this setting is available only when you select Advanced (above the Extracted Items Configuration area).
Use this setting when you want the system to extract dynamic parameters from all text-based URLs and file types. Note that this setting is available only when you select Advanced (from the Extracted Items Configuration list).
Another important aspect of the extraction configuration is defining how the system extracts the dynamic parameter, that is, the extraction method. Table 9.3 describes the extraction methods.
Use this setting when you want the system to extract dynamic parameter values from all parameters in all forms in the HTML response to a requested URL.
Use this setting when you want the system to extract dynamic parameter values from a specific parameter within in a form. Also specify the Form Index and the Parameter Index. Note that this setting is available only when you select Advanced (from the Extracted Items Configuration list).
Use this setting when you want the system to extract dynamic parameter values from within XML entities. Type the XPath specification in the XPath field. Note that this setting is available only when you select Advanced (from the Extraction Methods Configuration list).
Use this setting when you want to the system to search for dynamic parameter values in the body of the response. You can also specify how many incidents the system should find, a prefix, a RegExp value, or a prefix to search for. Note that this setting is available only when you select Advanced (from the Extraction Methods Configuration list).
You can review all of the parameter extractions that are configured in the security policy. You can also review the parameter extractions for a specific URL on the properties screen for that URL. See Configuring URLs, for more information on URL properties.
1.
On the Main tab, expand Application Security and click Parameters.
The Parameters List screen opens.
2.
On the menu bar, click Extractions.
The Extractions screen opens, where you can view the extractions that are in the security policy.
In some web applications, DCV parameters also have dynamic names. You can use the parameter type, Dynamic parameter name, when you want the system to apply the dynamic names as well as dynamic values. Note that the Dynamic parameter name parameter type is applicable only when you are configuring a flow parameter.
When you configure a dynamic parameter name, you also configure the extraction properties. The extraction properties specify the manner in which the Application Security Manager discovers the parameter names.
2.
In the Create New Parameter area, for the Parameter Value Type setting, select Dynamic parameter name.
The screen refreshes, and displays the Dynamic Parameter Properties area.
3.
In the Dynamic Parameter Properties area, for the Extract Parameter from URL setting, select the protocol to use and type the URL from which you want the system to extract the dynamic parameter.
If the parameter is located in a form, select Search Within Form, and specify the form index and parameter index.
If the parameter is located in the HTTP/S response, select Search parameters in response body (in form elements names only).
In the By Pattern field, type a regular expression that represents the parameter name pattern.
If you do not want the system to enforce whether the parameter has a value, clear the Check parameter value check box.
5.
Click the Create button to add the new parameter to the configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Each security policy includes a default character set for parameter names and another for parameter values. The default character sets correspond to the language encoding that you specified for the web application. The system implements the character set based on the state of the character or meta character: Allowed or Disallowed.
You can change the enforcement state for the general character set, or within the context of a specific alpha-numeric user-input parameter. For alpha-numeric user-input parameters, you can also specify which characters or meta characters are enforced, as well as override the default state. For more information on configuring alpha-numeric user-input parameters, see Configuring an alpha-numeric user-input parameter.
The parameter value character set controls the default characters and meta characters that are acceptable in a parameter value.
1.
On the Main tab, expand Application Security, point to Parameters, point to Character Sets, and then click Parameter Value.
The Parameter Value Character Set screen opens showing the default character set.
3.
Use the Filter option to display the characters or meta characters that you want to view.
Allow: Specifies that the security policy permits this character or meta character in parameter values.
Disallow: Specifies that the security policy does not permit this character or meta character in parameter values.
5.
Click the Save button to save any changes you may have made on this screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The parameter name character set controls the default characters and meta characters that are acceptable in a parameter name.
1.
On the Main tab, expand Application Security, point to Parameters, point to Character Sets, and then click Parameter Name.
The Parameter Name Character Set screen opens showing the default character set for wildcard parameter names.
3.
Use the Filter option to display the characters or meta characters that you want to view.
Allow: Specifies that the security policy permits this character or meta character in parameter values.
Disallow: Specifies that the security policy does not permit this character or meta character in parameter values.
5.
Click the Save button to save any changes you may have made on this screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The Application Security Manager stores incoming requests in plain text format. Some requests include sensitive data in parameters, such as an account number. If you create sensitive parameters. the system replaces the sensitive data, in the stored request and in logs, with asterisks (***).
You can create sensitive parameters as described in the procedure, following, or by enabling the Sensitive Parameter setting when creating or editing any parameter. All parameters defined as sensitive, regardless of how you configured them, appear in the Sensitive Parameters list.
Configuring a parameter as sensitive affects only how the Application Security Manager stores and displays information in requests. It does not affect requests sent to the web application or the client.
Note: The Application Security Manager automatically creates a sensitive parameter called password for every new security policy. Also, the Policy Builder considers parameters with type="password" in the response to be sensitive.
1.
On the Main tab, expand Application Security, point to Parameters, then click Sensitive Parameters.
The Sensitive Parameters screen opens.
3.
Above the Sensitive Parameters section, click the Create button.
The New Sensitive Parameter screen opens.
4.
In the Parameter field, type the name of the user-input parameter, exactly as it occurs in the HTTP request, for which you do not want the system to store the actual value. In the following example, account is the sensitive parameter:
Tip: If a parameter of this name already exists in the security policy, click it in the parameter list, and enable the Sensitive Parameter setting instead of creating a new sensitive parameter.
5.
Click the Create button.
The screen closes, and you can see the newly created sensitive parameter in the Sensitive Parameters list.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
In addition to creating sensitive parameters, you can also edit or delete existing sensitive parameters. To edit a sensitive parameter name, click the name, then update it. To delete a parameter, select the box next to it and click the Delete button.
If you want the security policy to differentiate between pages in the web application that are generated by requests with the same URL name but with different parameter and value pairs, and to build the appropriate flows, you must specify the exact names of the parameters that trigger the creation of the pages in the web application.These parameters are called navigation parameters. A navigation parameter cannot be a wildcard.
1.
On the Main tab, expand Application Security, point to Parameters then click Navigation Parameters.
The Navigation Parameters screen opens.
3.
Above the Navigation Parameters area, click the Create button.
The New Navigation Parameter screen opens.
If the navigation parameter applies to only one page in the web application, select URL Path, and type the URL.
5.
In the Navigation Parameter field, type the name of the parameter passed to the web server for dynamic page-building purposes.
6.
Click the Create button.
The screen closes, and on the Navigation Parameters screen, you can see the new navigation parameter.
7.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
In addition to creating navigation parameters, you can also edit or delete existing navigation parameters, as required by changes in the web application. To delete an existing navigation parameter, select the box next to the parameter, and click the Delete button. To edit an existing navigation parameter, click the name then update the parameter properties.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)