F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP ASM
  4. BIG-IP Application Security Manager: Implementations
  5. Adding Parameters to a Security Policy
Manual Chapter : Adding Parameters to a Security Policy

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About adding parameters to a security policy

Parameters are an integral part of any web application, and they need to be protected so clients cannot access them, modify them, or view sensitive data. When you define parameters in a security policy, you increase the security of the web application and prevent web parameter tampering.

Application Security Manager evaluates parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. When the security policy includes known parameters, you are creating a whitelist of acceptable parameters. The system allows traffic that includes the parameters that you configure in a security policy.

Security policies can include parameters defined as global parameters, URL parameters, and flow parameters. You can further specify parameters as being particular value types: static content, dynamic content, dynamic parameter name, user-input, JSON, or XML. You can also create parameters for which the system does not check or verify the value.

Creating global parameters

Global parameters are parameters that are not associated with specific URLs or application flows. The advantage of using global parameters is that you can configure a global parameter once, and the system enforces the parameter wherever it occurs. You create a global parameter to address these conditions:
  • The web application has a parameter that appears in several URLs or flows.
  • You want the Application Security Manager to enforce the same parameter attributes on all parameters.
  1. On the Main tab, click Security > Application Security > Parameters.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The Add Parameter screen opens.
  4. In the Create New Parameter area, for the Parameter Name setting, specify the type of parameter you want to create.
    • To create a named parameter, select Explicit, then type the name.
    • To use pattern matching, select Wildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
    • To create an unnamed parameter, select No Name. The system creates a parameter with the label, UNNAMED.
  5. For the Parameter Level setting, select Global. The parameter can occur anywhere and is not associated with a specific URL or flow.
  6. Leave the Perform Staging check box selected if you want the system to evaluate traffic before enforcing this parameter. Staging helps reduce the occurrence of false positives.
  7. If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, for the Learn Explicit Entities setting, select Add All Entities.
  8. Specify whether the parameter requires a value:
    • If the parameter is acceptable without a value, leave the Allow Empty Value setting enabled.
    • If the parameter must always include a value, clear the Allow Empty Value check box.
  9. To allow users to send a request that contains multiple parameters with the same name, select the Allow Repeated Occurrences check box.
    Important: Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
  10. If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable the Sensitive Parameter setting.
  11. For the Parameter Value Type setting, select the format of the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options.
  12. Click Create to add the new parameter to the security policy.
  13. To put the security policy changes into effect immediately, click Apply Policy.
When you first create a global parameter, the system places the parameter in staging by default and does not block requests even if a violation occurs and the system is configured to block the violation. The system makes learning suggestions that you can accept or clear.

Creating URL parameters

URL parameters are parameters that are defined in the context of a URL. You can use a URL parameter when it does not matter where users were before they accessed this URL, or whether the parameter was in a GET or POST request. You can create a parameter that goes with a URL that already exists in the security policy.
  1. On the Main tab, click Security > Application Security > Parameters.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The Add Parameter screen opens.
  4. In the Create New Parameter area, for the Parameter Name setting, specify the type of parameter you want to create.
    • To create a named parameter, select Explicit, then type the name.
    • To use pattern matching, select Wildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
    • To create an unnamed parameter, select No Name. The system creates a parameter with the label, UNNAMED.
  5. For the Parameter Level setting, select URL, then for the URL Path setting, select a protocol from the list, and then type the URL in this format: /url_name.ext. When you begin to type the URL, the system lists all URLs that include the character you typed, and you can select the URL from the list.
  6. Leave the Perform Staging check box selected if you want the system to evaluate traffic before enforcing this parameter. Staging helps reduce the occurrence of false positives.
  7. If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, for the Learn Explicit Entities setting, select Add All Entities.
  8. Specify whether the parameter requires a value:
    • If the parameter is acceptable without a value, leave the Allow Empty Value setting enabled.
    • If the parameter must always include a value, clear the Allow Empty Value check box.
  9. To allow users to send a request that contains multiple parameters with the same name, select the Allow Repeated Occurrences check box.
    Important: Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
  10. If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable the Sensitive Parameter setting.
  11. For the Parameter Value Type setting, select the format of the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options.
  12. Click Create to add the new parameter to the security policy.
  13. To put the security policy changes into effect immediately, click Apply Policy.
When you define a URL parameter, the system applies the security policy to the parameter attributes in the context of the associated URL, and ignores the flow information. When you first create a URL parameter, the system places the parameter in staging by default and does not block requests even if a violation occurs and the system is configured to block the violation. The system makes learning suggestions that you can accept or clear.

Creating flow parameters

Before you can create a flow parameter, you need to first have created the flow to which the parameter applies. If the source URL is a referrer URL, that URL must already be defined in the security policy as well.
You define parameters in the context of a flow when it is important to enforce that the target URL receives a parameter only from a specific referrer URL. Flow parameters provide very tight, flow-specific security for web applications. With this increased protection comes an increase in maintenance and configuration time. Note that if your application uses dynamic parameters, you need to manually add those to the security policy.
  1. On the Main tab, click Security > Application Security > Parameters.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The Add Parameter screen opens.
  4. In the Create New Parameter area, for the Parameter Name setting, specify the type of parameter you want to create.
    • To create a named parameter, select Explicit, then type the name.
    • To use pattern matching, select Wildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
    • To create an unnamed parameter, select No Name. The system creates a parameter with the label, UNNAMED.
  5. In the Parameter Level setting, select Flow, and then for From URL define where the flow must come from:
    • If the source URL is an entry point, click Entry Point.
    • If the source URL is a referrer URL (already defined in the policy), click URL Path, select the protocol used for the URL, then type the referrer URL associated with the flow.
    When you begin to type the URL, the system lists all referrer URLs that include the character you typed, and you can select the URL from the list.
  6. In the Parameter Level setting, for Method, select the HTTP method (GET or POST) that applies to the target referrer URL (already defined in the policy).
  7. In the Parameter Level setting, for To URL, select the protocol used for the URL, then type the target URL.
  8. Leave the Perform Staging check box selected if you want the system to evaluate traffic before enforcing this parameter. Staging helps reduce the occurrence of false positives.
  9. If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, for the Learn Explicit Entities setting, select Add All Entities.
  10. If the parameter is required in the context of the flow, select the Is Mandatory Parameter check box. Note that only flows can have mandatory parameters.
  11. Specify whether the parameter requires a value:
    • If the parameter is acceptable without a value, leave the Allow Empty Value setting enabled.
    • If the parameter must always include a value, clear the Allow Empty Value check box.
  12. To allow users to send a request that contains multiple parameters with the same name, select the Allow Repeated Occurrences check box.
    Important: Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
  13. If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable the Sensitive Parameter setting.
  14. For the Parameter Value Type setting, select the format of the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options.
  15. Click Create to add the new parameter to the security policy.
  16. To put the security policy changes into effect immediately, click Apply Policy.
When you create a parameter that is associated with a flow, the system verifies the parameter in the context of the flow. For example, if you define a parameter in the context of a GET request, and a client sends a POST request that contains the parameter, the system generates an Illegal Parameter violation.

Creating sensitive parameters

The Application Security Manager stores incoming requests in plain text format. Some requests include sensitive data in parameters, such as an account number, that you want to hide from system users. You can create sensitive parameters as described in the procedure, following, or by enabling the Sensitive Parameter setting when creating or editing any parameter. All parameters defined as sensitive, regardless of how you configured them, appear in the Sensitive Parameters list.
  1. On the Main tab, click Security > Application Security > Parameters > Sensitive Parameters.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The New Sensitive Parameter screen opens.
  4. In the Parameter Name field, type the name of the user-input parameter, exactly as it occurs in the HTTP request, for which you do not want the system to store the actual value. In this example, account is the sensitive parameter: http://www.siterequest.com/bank.php?account=12345
    Tip: If a parameter of this name already exists in the security policy, click it in the parameter list, and enable the Sensitive Parameter setting instead of creating a new sensitive parameter.
  5. Click Create to add the new parameter to the security policy.
  6. To put the security policy changes into effect immediately, click Apply Policy.
When you create sensitive parameters, the system replaces the sensitive data, in the stored request and in logs, with asterisks (***).

Creating navigation parameters

If you want the security policy to differentiate between pages in the web application that are generated by requests with the same URL name but with different parameter and value pairs, and to build the appropriate flows, you must specify the exact names of the parameters that trigger the creation of the pages in the web application. These parameters are called navigation parameters. A navigation parameter cannot be a wildcard.
  1. On the Main tab, click Security > Application Security > Parameters > Navigation Parameters.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The New Navigation Parameter screen opens.

  5. In the Navigation Parameter field, type the name of the parameter passed to the web server for dynamic page-building purposes.
  6. Click Create to add the new parameter to the security policy.
  7. To put the security policy changes into effect immediately, click Apply Policy.

Creating parameters with dynamic content

Dynamic content value (DCV) parameters are parameters where the web application sets the value on the server side (so, for example, the content can change depending on who the user is). When you create a DCV parameter, you also specify where and how to get the dynamic information. For example, in an auction application, you can configure the price parameter as a DCV parameter to keep users from tampering with the price.

You can also use DCV parameters for user identities in web applications that use sessions. As an example, user identity is often passed between pages as a hidden parameter, which could be exploited by malicious users, unless protected.

  1. On the Main tab, click Security > Application Security > Parameters.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The Add Parameter screen opens.
  4. In the Create New Parameter area, for the Parameter Name setting, specify the type of parameter you want to create.
    • To create a named parameter, select Explicit, then type the name.
    • To use pattern matching, select Wildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
    • To create an unnamed parameter, select No Name. The system creates a parameter with the label, UNNAMED.
  5. For the Parameter Level setting, select the appropriate type, typically Global or URL.
  6. For the Parameter Value Type setting, select Dynamic content value.
  7. Click Create.
    Note: You should define the extractions for a DCV parameter before you apply the security policy that includes the parameters. Otherwise, the system warns you that the security policy contains dynamic parameters with no extractions defined.
    A popup screen opens asking if you want to define extractions.
  8. Click OK. The Create New Extraction screen opens. The Name field shows the name of the parameter you created.
  9. From the Extracted Items Configuration list, select Advanced.
  10. Use the Extract From setting to specify which items the system searches for dynamic parameter values.
    Use This Option When
    File Types You want the system to extract dynamic parameters from responses to requests for certain file types that exist in the security policy. Select the file type and click Add.
    URLs You want the system to extract dynamic parameters from responses to requests for the listed URLs. To add the URLs, select the protocol, type the URL and click Add. If the URL is not in the security policy, it is added.
    RegExp You want the system to extract dynamic parameters from responses to requests that match a regular expression pattern.
    Extract From All Items You want the system to extract dynamic parameters from all text-based URLs and file types.
  11. From the Extracted Methods Configuration list, select Advanced.
  12. Select the appropriate check boxes to specify how to get the dynamic parameter values.
    Select This Option When
    Search in Links You want the system to extract dynamic parameter values from links (href tags) within the server response to a URL.
    Search Entire Form You want the system to extract dynamic parameter values from all parameters in a form in the HTML response to a requested URL.
    Search Within Form You want the system to extract dynamic parameter values from a specific parameter within in a form. Also specify the Form Index and the Parameter Index.
    Search in XML You want the system to extract dynamic parameter values from within XML entities. Type the XPath specification in the XPath field.
    Search in Response Body You want to the system to search for dynamic parameter values in the body of the response. You can also specify how many incidents the system should find, a prefix, a RegExp value, or a prefix to search for.
  13. Click Create to add the extraction properties to the parameter.
  14. Click Update to save the changes.
  15. To put the security policy changes into effect immediately, click Apply Policy.
When the Application Security Manager receives a request that contains an entity (for example, a file extension or URL) with a dynamic content value parameter, the system extracts the parameter value from the web application response and stores it away. The next time the system receives a request containing that parameter, it uses the stored value to validate the dynamic content value parameter. The system verifies that the client is not changing the parameter value that the server sets from one request to the next, or using the values from a different user.

By default, the system saves up to 950 values that it finds for a dynamic content value parameter. If the number of values exceeds 950, the system replaces the first-extracted values with the new values.

Creating parameters with dynamic names

Before you can make a parameter with a dynamic name, you must have created a flow parameter.
In some web applications, flow parameters have dynamic names. When you create a parameter with a dynamic name, you also specify the manner in which Application Security Manager discovers the parameter names.
  1. On the Main tab, click Security > Application Security > Parameters.
  2. In the Parameters List, click the name of the flow parameter that you want to have a dynamic name. The Parameter Properties screen opens where you can edit the flow parameter.
  3. For the Parameter Value Type setting, select Dynamic parameter name.
  4. On the Dynamic Parameter Properties tab, for the Extract Parameter from URL setting, select the protocol to use and type the URL from which you want the system to extract the dynamic parameter.
  5. Specify whether the system searches for the parameter name in a form or the response body:
    • To search in forms, select Search Within Form, and specify values for Form Index and Parameter Index.
    • To search in the response body, select Search parameters in response body (in form elements names only). In the By Pattern field, type a regular expression to search for parameter names in input elements in the forms. Select Check parameter value to verify the parameter value in addition to the name matched in the By Pattern field.
  6. Click Update to save the changes.
  7. To put the security policy changes into effect immediately, click Apply Policy.
The system extracts the parameters from the web server responses and then uses the extracted parameters to enforce the dynamic parameter associated with the flow.

Changing character sets for parameter values

The character sets for parameter values are the characters and meta characters that the security policy accepts in a parameter value. You can view and modify the character set that is allowed in a parameter value.
  1. On the Main tab, click Security > Application Security > Parameters > Character Sets > Parameter Value.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Use the View option to filter the character set.
  4. For each character or meta character, change the state, as required.
    State Description
    Allow The security policy permits this character or meta character in parameter values.
    Disallow The security policy does not permit this character or meta character in parameter values.
  5. Click Save to save the changes.
  6. To put the security policy changes into effect immediately, click Apply Policy.
If a request includes a parameter with a disallowed character, the system generates an Illegal parameter violation (if that violation is set to Alarm or Block).

Changing character sets for parameter names

The character sets for parameter names are the characters and meta characters that the security policy accepts in a parameter name. You can view and modify the character set that is allowed in a parameter name.
  1. On the Main tab, click Security > Application Security > Parameters > Character Sets > Parameter Name.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Use the View option to filter the character set.
  4. For each character or meta character, change the state, as required.
    State Description
    Allow The security policy permits this character or meta character in parameter names.
    Disallow The security policy does not permit this character or meta character in parameter names.
  5. Click Save to save the changes.
  6. To put the security policy changes into effect immediately, click Apply Policy.
If a request includes a parameter name with a disallowed character, the system generates an Illegal parameter violation (if that violation is set to Alarm or Block).

Adjusting the parameter level

You can adjust how the system determines what parameters it adds (automatic policy building) or suggests you add (manual policy building) to the security policy. In most cases, you do not need to change the default values of these settings.

  1. On the Main tab, click Security > Application Security > Policy Building > Settings. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the General Policy Building Settings area, for the Parameter Level setting, select the level of parameter to add.
    Option Description
    Global Add parameters at the global level for all URLs in the security policy. Make learning suggestions based on the properties of entities that already exist in the security policy. Default value for Fundamental and Enhanced policy types.
    URL Add parameters at the URL level, only for specific URLs. Make learning suggestions based on real traffic. Default value for Comprehensive policy type.
    Note: This option applies only to the attack signature and illegal meta character violations.
  4. Click Save to save your settings.
  5. To put the security policy changes into effect immediately, click Apply Policy.

The security policy now adds parameters according to the level you specified.

Parameter Value Types

When you add a parameter to the security policy, you specify its parameter value type. The parameter value type indicates the format of the parameter. You can configure global, URL, and flow parameters as any value type, except the dynamic parameter name type. You can configure only flow parameters as dynamic parameter names.

Parameter Value Type Description
Dynamic content value Dynamic parameters are parameters whose values can change, and are often linked to a user session. When you create a new parameter of this type, you must also define dynamic parameter extraction properties. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions.
Dynamic parameter name If using flow parameters with names that change dynamically, you can use this parameter type. If you select this type, you also need to specify the URL from which the system can extract dynamic parameter name parameters.
Ignore value If you do not want the system to perform validity checks on the parameter value, select this value type. Regarding signatures, this value type prevents the system from performing parameter-based signature checks on the parameter value, but it does perform other relevant signature checks.
JSON value The JSON value type is for parameters that contain JSON data that is validated according to a JSON profile that defines the format of the data. Select an existing JSON profile or create a new one.
Static content value Static parameters are those that have a known set of values. A list of country names or a yes/no form field are both examples of static parameters. If you select this type, you also need to specify the static values for the parameter in the Parameter Static Values list. For example, a credit card payment parameter in a shopping application may be static and have the static values MasterCard, Visa, and American Express.
User-input value User-input parameters are those that require users to enter or provide some sort of data. This is the most commonly used parameter value type. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range of values or many static values, you may want to configure the parameter as a user-input parameter instead of as a static content parameter. By default, the system looks for attack patterns within all alpha-numeric user-input parameters. For each parameter, you can enable or disable a specific attack signature.
XML value XML parameters are those whose parameter value contains XML data that is validated according to an XML profile that defines the format of the data. Select an existing XML profile or create a new one.

About path parameters

Path parameters are parameters that are attached to path segments in the URI. You can configure Application Security Manager (ASM) to enforce path parameters as needed in your organization. Path parameters can be ignored, or treated as parameters, or as an integral part of URLs.

Although path parameters are not widely used, they could serve as covert back doors to potential attacks even for server applications that do not use path parameters. For example, an application could copy a URI with path parameters containing attack signatures to the body of the response.

Path parameters can have multiple parameters in the same path segment separated by semicolons. A semicolon also separates the path segment from the parameters; for example, /path/name;param1;p2;p3. Each parameter can optionally equal a value; for example, param=value;p2. If a path parameter has more than one value, the values are separated by commas, such as param=val1,val2,val3.

Path parameters are extracted from requests, but not from responses.

Enforcing path parameter security

A URI path parameter is the part of a path segment that occurs after its name. You can configure how a security policy handles path parameters that are attached to path segments in URIs. You can enforce different levels of security based on your needs.
  1. On the Main tab, click Security > Application Security > Security Policies. The Active Policies screen opens.
  2. Click the name of the security policy you want to work on. The Properties screen opens.
  3. From the Configuration list, select Advanced.
  4. Scroll down to Handle Path Parameters, and select how you want to treat path parameters in URIs.
    Option Description
    As Parameter The system normalizes and enforces path parameters. For each path parameter, the system removes it from the URL as part of the normalization process, finds a corresponding parameter in the security policy (first at the matching URL level, and if not found, then at the Global level), and enforces it according to its attributes like any other parameter.
    As URL The system does not normalize or enforce path parameters, and treats them as an integral part of the URL.
    Ignore The system removes path parameters from URLs as part of the normalization process, but does not enforce them.
  5. Click Save.
  6. In the editing context area, click Apply Policy to put the changes into effect.
Path parameters in URIs are handled as specified in the security policy properties
Note: The maximum number of path parameters collected in one URI path is 10. All the rest of the parameters (from the eleventh on, counting from left to right) are ignored as parameters, but are still stripped from the URI as part of the normalization process.
.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information