Parameters are an integral part of any web application, and they need to be protected so clients cannot access them, modify them, or view sensitive data. When you define parameters in a security policy, you increase the security of the web application and prevent web parameter tampering.
Application Security Manager™ evaluates parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. When the security policy includes known parameters, you are creating a whitelist of acceptable parameters. The system allows traffic that includes the parameters that you configure in a security policy.
Security policies can include parameters defined as global parameters, URL parameters, and flow parameters. You can further specify parameters as being particular value types: static content, dynamic content, dynamic parameter name, user-input, JSON, or XML. You can also create parameters for which the system does not check or verify the value.
You can also use DCV parameters for user identities in web applications that use sessions. As an example, user identity is often passed between pages as a hidden parameter, which could be exploited by malicious users, unless protected.
|Use This Option||When|
|File Types||You want the system to extract dynamic parameters from responses to requests for certain file types that exist in the security policy. Select the file type and click Add.|
|URLs||You want the system to extract dynamic parameters from responses to requests for the listed URLs. To add the URLs, select the protocol, type the URL and click Add. If the URL is not in the security policy, it is added.|
|RegExp||You want the system to extract dynamic parameters from responses to requests that match a regular expression pattern.|
|Extract From All Items||You want the system to extract dynamic parameters from all text-based URLs and file types.|
|Select This Option||When|
|Search in Links||You want the system to extract dynamic parameter values from links (href tags) within the server response to a URL.|
|Search Entire Form||You want the system to extract dynamic parameter values from all parameters in a form in the HTML response to a requested URL.|
|Search Within Form||You want the system to extract dynamic parameter values from a specific parameter within in a form. Also specify the Form Index and the Parameter Index.|
|Search in XML||You want the system to extract dynamic parameter values from within XML entities. Type the XPath specification in the XPath field.|
|Search in Response Body||You want to the system to search for dynamic parameter values in the body of the response. You can also specify how many incidents the system should find, a prefix, a RegExp value, or a prefix to search for.|
By default, the system saves up to 950 values that it finds for a dynamic content value parameter. If the number of values exceeds 950, the system replaces the first-extracted values with the new values.
|Allow||The security policy permits this character or meta character in parameter values.|
|Disallow||The security policy does not permit this character or meta character in parameter values.|
|Allow||The security policy permits this character or meta character in parameter names.|
|Disallow||The security policy does not permit this character or meta character in parameter names.|
You can adjust how the system determines what parameters it adds (automatic policy building) or suggests you add (manual policy building) to the security policy. In most cases, you do not need to change the default values of these settings.
|Global||Add parameters at the global level for all URLs in the security policy. Make learning suggestions based on the properties of entities that already exist in the security policy. Default value for Fundamental and Enhanced policy types.|
|URL||Add parameters at the URL level, only for specific URLs. Make
learning suggestions based on real traffic. Default value for
Note: This option applies only to the attack signature and illegal meta character violations.
The security policy now adds parameters according to the level you specified.
When you add a parameter to the security policy, you specify its parameter value type. The parameter value type indicates the format of the parameter. You can configure global, URL, and flow parameters as any value type, except the dynamic parameter name type. You can configure only flow parameters as dynamic parameter names.
|Parameter Value Type||Description|
|Dynamic content value||Dynamic parameters are parameters whose values can change, and are often linked to a user session. When you create a new parameter of this type, you must also define dynamic parameter extraction properties. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions.|
|Dynamic parameter name||If using flow parameters with names that change dynamically, you can use this parameter type. If you select this type, you also need to specify the URL from which the system can extract dynamic parameter name parameters.|
|Ignore value||If you do not want the system to perform validity checks on the parameter value, select this value type. Regarding signatures, this value type prevents the system from performing parameter-based signature checks on the parameter value, but it does perform other relevant signature checks.|
|JSON value||The JSON value type is for parameters that contain JSON data that is validated according to a JSON profile that defines the format of the data. Select an existing JSON profile or create a new one.|
|Static content value||Static parameters are those that have a known set of values. A list of country names or a yes/no form field are both examples of static parameters. If you select this type, you also need to specify the static values for the parameter in the Parameter Static Values list. For example, a credit card payment parameter in a shopping application may be static and have the static values MasterCard®, Visa®, and American Express®.|
|User-input value||User-input parameters are those that require users to enter or provide some sort of data. This is the most commonly used parameter value type. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range of values or many static values, you may want to configure the parameter as a user-input parameter instead of as a static content parameter. By default, the system looks for attack patterns within all alpha-numeric user-input parameters. For each parameter, you can enable or disable a specific attack signature.|
|XML value||XML parameters are those whose parameter value contains XML data that is validated according to an XML profile that defines the format of the data. Select an existing XML profile or create a new one.|
Path parameters are parameters that are attached to path segments in the URI. You can configure Application Security Manager™ (ASM) to enforce path parameters as needed in your organization. Path parameters can be ignored, or treated as parameters, or as an integral part of URLs.
Although path parameters are not widely used, they could serve as covert back doors to potential attacks even for server applications that do not use path parameters. For example, an application could copy a URI with path parameters containing attack signatures to the body of the response.
Path parameters can have multiple parameters in the same path segment separated by semicolons. A semicolon also separates the path segment from the parameters; for example, /path/name;param1;p2;p3. Each parameter can optionally equal a value; for example, param=value;p2. If a path parameter has more than one value, the values are separated by commas, such as param=val1,val2,val3.
Path parameters are extracted from requests, but not from responses.
|As Parameter||The system normalizes and enforces path parameters. For each path parameter, the system removes it from the URL as part of the normalization process, finds a corresponding parameter in the security policy (first at the matching URL level, and if not found, then at the Global level), and enforces it according to its attributes like any other parameter.|
|As URL||The system does not normalize or enforce path parameters, and treats them as an integral part of the URL.|
|Ignore||The system removes path parameters from URLs as part of the normalization process, but does not enforce them.|