Path parameters are parameters that are attached to path segments in the URI. You can configure Application Security Manager™ (ASM) to enforce path parameters as needed in your organization. Path parameters can be ignored, or treated as parameters, or as an integral part of URLs.
Although path parameters are not widely used, they could serve as covert back doors to potential attacks even for server applications that do not use path parameters. For example, an application could copy a URI with path parameters containing attack signatures to the body of the response.
Path parameters can have multiple parameters in the same path segment separated by semicolons. A semicolon also separates the path segment from the parameters; for example, /path/name;param1;p2;p3. Each parameter can optionally equal a value; for example, param=value;p2. If a path parameter has more than one value, the values are separated by commas, such as param=val1,val2,val3.
Path parameters are extracted from requests, but not from responses.
|As Parameter||The system normalizes and enforces path parameters. For each path parameter, the system removes it from the URL as part of the normalization process, finds a corresponding parameter in the security policy (first at the matching URL level, and if not found, then at the Global level), and enforces it according to its attributes like any other parameter.|
|As URL||The system does not normalize or enforce path parameters, and treats them as an integral part of the URL.|
|Ignore||The system removes path parameters from URLs as part of the normalization process, but does not enforce them.|