Applies To:

Show Versions Show Versions

Manual Chapter: Enforcing Path Parameter Security
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Enforcing path parameter security

Path parameters are parameters that are attached to path segments in the URI. You can configure Application Security Manager™ (ASM) to enforce path parameters as needed in your organization. Path parameters can be ignored, or treated as parameters, or as an integral part of URLs.

Although path parameters are not widely used, they could serve as covert back doors to potential attacks even for server applications that do not use path parameters. For example, an application could copy a URI with path parameters containing attack signatures to the body of the response.

Path parameters can have multiple parameters in the same path segment separated by semicolons. A semicolon also separates the path segment from the parameters; for example, /path/name;param1;p2;p3. Each parameter can optionally equal a value; for example, param=value;p2. If a path parameter has more than one value, the values are separated by commas, such as param=val1,val2,val3.

Path parameters are extracted from requests, but not from responses.

Enforcing path parameter security

You can configure how a security policy handles path parameters that are attached to path segments in URIs. You can enforce different levels of security based on your needs.
  1. On the Main tab, click Security > Application Security > Security Policies. The Active Policies screen opens.
  2. Click the name of the security policy you want to work on. The Properties screen opens.
  3. From the Configuration list, select Advanced.
  4. Scroll down to Handle Path Parameters, and select how you want to treat path parameters in URIs.
    Option Description
    As Parameter The system normalizes and enforces path parameters. For each path parameter, the system removes it from the URL as part of the normalization process, finds a corresponding parameter in the security policy (first at the matching URL level, and if not found, then at the Global level), and enforces it according to its attributes like any other parameter.
    As URL The system does not normalize or enforce path parameters, and treats them as an integral part of the URL.
    Ignore The system removes path parameters from URLs as part of the normalization process, but does not enforce them.
  5. Click Save.
  6. In the editing context area, click Apply Policy to put the changes into effect.
Path parameters in URIs are handled as specified in the security policy properties.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)