Applies To:

Show Versions Show Versions

Manual Chapter: Working with Parameters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Parameters are an integral entity in any web application. When you define parameters in a security policy, you are tightening the security for the web application. Application Security Manager evaluates defined parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. The Policy Enforcer verifies parameters in the context of a security policy. In other words, any parameters that you configure in a security policy are enforced only by that security policy.
You can define parameters as global parameters, web object parameters, and flow parameters. For information on configuring global parameters, see Working with global parameters. For information on configuring web object parameters, see Working with web object parameters. For information on configuring flow parameters, see Working with flow parameters.
There are several types of parameters that you can configure: static content, dynamic content, dynamic name, and user-input. You can also configure parameters for which the system does not check or verify the value. With the exception of dynamic parameter names, you can configure a global, object, or flow parameter as any parameter type. The dynamic parameter name type is applicable only to flow parameters. Refer to Understanding parameter types for more information.
Important: This chapter discusses configuring explicit parameters. In Application Security Manager, you can also configure wildcard parameters. Refer to Chapter 8, Working with Wildcard Entities, for more information.
If a parameter is defined more than once in the request context, the Policy Enforcer applies only the more specific definition. For example, the parameter param_1 is defined as a static content global parameter, and also defined as a user-input object parameter. When the Application Security Manager receives a request for the parameters object, the Policy Enforcer generates any violations based on the object parameter definition, not the global parameter definition.
When a web application has a parameter that you do not want to define in the context of a web object or a flow, you can define a global parameter. Global parameters are those that do not have an association with a specific web object or application flow. Therefore, you can configure a global parameter once, and the Policy Enforcer enforces the parameter wherever it occurs.
You are configuring a security policy that uses the basic level of security, and you want the Application Security Manager to enforce a specific set of parameters.
1.
3.
Above the Parameters List area, click the Create button.
The New Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Global Parameter.
7.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter types, for information on the parameter types options.
8.
Click the Create button to add the new global parameter to the security policy.
9.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
There may be times when you need to update the characteristics of a global parameter. This is easily done by editing the parameter properties.
1.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
1.
3.
In the Parameters List area, in the Select column (far left), check the box next to the global parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
You define parameters in the context of a web object when a parameter is relevant to that particular object, and you do not want the system to also verify the objects associated flows. That is, you define a web object parameter when it does not matter where the user was before they access this web object, and when it does not matter whether the parameter was in a GET or POST request. When you define a web object parameter, the Policy Enforcer applies the security policy to the parameter attributes in the context of the associated web object, and ignores the flow information.
When you create a parameter that is associated with a web object, the Policy Enforcer verifies the parameter in the context of the web object.
Important: The following task assumes that the web object for which you want to create a parameter is already configured in the security policy. If this is not the case, refer to Configuring web objects, for information on adding a web object to the configuration.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The New Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Object Parameter.
The screen refreshes and displays the Object Path setting.
For the Object Path setting, select a protocol from the list, and then type the object name in this format:
7.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter types, for information on the parameter types options.
8.
Click the Create button to add the new object parameter to the security policy.
9.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
There may be times when you need to update the characteristics of a web object parameter. This is easily done by editing the parameter properties.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
Web applications can change over time, and there may be occasions when you need to delete a parameter from the security policy.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Select column (far left), check the box next to the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
You define parameters in the context of a flow when it is important to enforce that a target object receives a parameter from a specific referrer object. Defining a parameter in the context of a flow is the most specific context, and thus provides the tightest security for the web application.
When you create a parameter that is associated with a flow, the Policy Enforcer verifies the parameter in the context of the flow. For example, if you define a parameter in the context of a GET request, and a client sends a POST request that contains the parameter, the Policy Enforcer generates an Illegal Parameter violation.
You can define flow parameters for very tight, flow-specific security. With this increased protection comes an increase in maintenance and configuration time. Note that if your web application uses dynamic parameters, you manually add those to the security policy.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The New Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Flow Parameter.
The screen refreshes and displays flow detail settings.
For the From Object setting, select whether the source object in the flow is an entry point or a referrer object.
For the Method setting, if you specified a referrer object for the From Object setting, select the HTTP method that applies to the target object.
For the To Object setting, if you specified a referrer object for the From Object setting, specify the target object.
6.
If the parameter is required in the context of the flow, check the Is Mandatory Parameter setting. Note that only flows can have mandatory parameters. (See Configuring the Is Mandatory Parameter setting, for more information.)
8.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter types, for information on the parameter types options.
9.
Click the Create button to add the new global parameter to the security policy.
10.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
There may be times when you need to update the characteristics of a flow parameter. This is easily done by editing the parameter properties.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Select column (far left), check the box next to the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
Parameter characteristics define the individual attributes of the parameter. The parameter characteristics change depending on the type of parameter that you specify.
When you add a parameter to the security policy, you specify the parameter type. The Policy Enforcer then knows in what form to expect the parameter value, and applies the security policy accordingly. You can configure global parameters, web object parameters, and flow parameters as any parameter type, with the exception of the dynamic parameter name type. You can configure only flow parameters as this type.
Ignore value
If you do not want the Policy Enforcer to perform checks on the parameter value, then use this parameter value type.
Static content value
Static parameters are those that have a known set of values. A list of country names, or a yes/no form field are both examples of static parameters. For information on configuring static parameters, see Configuring parameter characteristics for static parameters.
User-input value
User-input parameters are those that require users to enter or provide some sort of data. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range for values, or has many static values, you may want to configure the parameter as a user-input parameter instead of a static content parameter. For information on configuring user-input parameters, see Configuring parameter characteristics for user-input parameters.
XML value
XML parameters are those whose parameter value contains XML data. For information on configuring XML parameters, see Associating an XML profile with a parameter.
Dynamic content value
Dynamic parameters are those whose set of values can change, and are often linked to a user session. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions. For information on configuring DCV parameters, see Configuring dynamic content value parameters.
Dynamic parameter name
Some dynamic parameters have dynamic names as well as dynamic values. If you want the Policy Enforcer to enforce dynamic names as well as dynamic values, then you can use this parameter type. For information on configuring dynamic parameter names, see Configuring parameter characteristics for dynamic parameter names.
Configuring parameters for a web application can be a lengthy and arduous task. While you can do this manually, as explained throughout the remainder of this chapter, you can also use the Policy Builder and the Learning process to help you discover the parameters and values that are part of your web application. See Chapter 7, Building a Security Policy Automatically with the Policy Builder, and Chapter 12, Refining the Security Policy Using Learning, for more information on these tools.
Static parameters are parameters whose possible values is a known set. For example, the credit card type parameter, for payment in a shopping application, may have the value set of Mastercard®, Visa®, and American Express®. When you configure the static parameter characteristics, you are basically creating the value set for the parameter.
2.
For the Parameter Type setting, select Static content value.
The screen refreshes and displays the Parameter Static Values tab.
3.
On the Parameter Static Values tab, for the New Static Value setting, type the new value in the Add box.
4.
Click the Add button to add the value to the values list.
6.
Click the Create button to save the parameter in the configuration.
7.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
User-input parameters are those for which a user can provide a value. For user-input parameters, you can configure the Application Security Manager to verify minimum and maximum values, minimum and maximum lengths, and valid meta characters. The system can also check for attack patterns within the parameter name and value.
User-input parameters can accept many different data types. The data types are: alpha-numeric, binary, decimal, email, integer, and phone. Depending on the data type that you configure, there are additional options that the Policy Enforcer can verify, as noted in the following sections.
Tip: You can configure any parameter as a user-input parameter if you want the system to apply a broader verification to the parameter values.
The alpha-numeric data type specifies that the parameter value can have letters, integers, and the underscore character in it. For this data type, you can specify a maximum length, and you can define the acceptable parameter values as a regular expression. You can also specify one or more meta characters (in addition to the base character set of a-z, A-Z, 0-9), and one or more regular expressions, that are acceptable within the context of the parameter.
Note: If you enable regular expressions for an alpha-numeric parameter, the system may automatically enable certain meta characters (in the Allowed Meta Characters list) that are part of the regular expressions, even if you have not explicitly enabled meta characters for the parameter.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Parameter Characteristics tab, for the Data Type setting, select Alpha-Numeric.
If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
If you want the Policy Enforcer to enforce the parameter value using pattern matching, check the Regular Expression box, and type a regular expression. Note that when you enable this setting, the only values that are acceptable for the parameter are those that exactly match the regular expression pattern that you provide. All other values are considered illegal in the context of this parameter.
4.
If you want to make certain meta characters valid, or not valid, as part of the parameter value, click the Value Meta Characters tab.
The screen refreshes, and displays the meta characters that are available or assigned to this parameter.
From the Available list, select any meta characters that you want to assign to the parameter value, and click the Move button (<<) to add them to the Assigned list.
The screen refreshes, and displays the meta characters and the default state for each.
In the Assigned list, change the meta character state as required.
Select Allowed when the meta character can be in the parameter value.
Select Disallowed when the meta character cannot be in the parameter value, and may trigger the Illegal meta character in parameter value violation.
5.
If you want to make certain known attack patterns valid, or not valid, as part of the parameter value, click the Attack Signatures tab.
The screen refreshes, and displays the attack patterns that are available or assigned to this parameter.
From the Available list, select any attack signatures that you want to assign to the parameter value, and click the Move button (<<) to add them to the Assigned list.
The screen refreshes, and displays the attack signatures and the default state for each.
In the Assigned list, change the attack signature state as required. Note that the state that you select may override the state that is assigned at the attack signature set level.
Select Disabled when the parameter value can match the attack signature.
Select Enabled when the parameter value cannot match the attack signature.
6.
Click the Create button to add the parameter to the configuration.
7.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The binary data type specifies that the parameter value is text for which the system does not verify meta characters or attack. Typically, you use this data type for binary file uploads. Note that for this data type, you specify only a maximum length.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Binary (Length checks only).
4.
If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The decimal data type specifies that the parameter value is numeric, and can include integers and decimals only. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Decimal.
4.
If you want the Policy Enforcer to enforce a minimum value for the parameter value, check the Check Minimum Value box, and type a number.
5.
If you want the Policy Enforcer to enforce a maximum value for the parameter value, check the Check Maximum Value box, and type a number.
6.
If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
7.
Click the Create button to add the parameter to the configuration.
8.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The email data type specifies that the parameter value is in the email address format. Values for this data type can include letters, numbers, the at meta character (@), the period (.) character, and the underscore (_) character. For this data type you can specify only a maximum length.
Note: We recommend that you use the email data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Email.
4.
If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The integer data type specifies that the parameter value is numeric, and can include only whole numbers. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab,and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Integer.
4.
If you want the Policy Enforcer to enforce a minimum value for the parameter value, check the Check Min. Value box, and type a number.
5.
If you want the Policy Enforcer to enforce a maximum value for the parameter value, check the Check Max. Value box, and type a number.
6.
If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
7.
Click the Create button to add the parameter to the configuration.
8.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The phone data type specifies that the parameter value is in the phone number format. Values for this data type can include numbers, the hyphen meta character (-), and the parentheses meta characters [( )]. For this data type you can specify only a maximum length.
Note: We recommend that you use the phone data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab,and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Phone.
4.
If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The Allow Empty Value setting specifies whether the Policy Enforcer expects the parameter to have a defined value. When this setting is enabled on a parameter, the Policy Enforcer does not generate an Illegal empty parameter value alert if a client request does not provide a value. Conversely, if the Allow Empty Value setting is disabled (which is the default setting), the system generates the Illegal empty parameter value alert if a client request does not provide a value. The Allow Empty Value setting is applicable to global parameters, web object parameters, and flow parameters.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
For the Allow Empty Parameter setting, check or clear the check box as required.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The Is Mandatory Parameter setting specifies whether a parameter must be present in a flow. You can configure the Is Mandatory Parameter setting either from the Flow Properties screen of the associated flow, or from the Flow Parameter Properties screen. To change the Is Mandatory Parameter setting from the Flow Parameter Properties screen, refer to Editing the properties of a flow parameter. Use the following procedure to change the Is Mandatory Parameter setting from the Flow Properties screen of the associated flow.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
For the Is Mandatory Parameter setting, check or clear the check box as required.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
XML parameters contain XML data in the parameter value. To perform checks on the XML data, you associate an XML profile with the XML parameter. For details on configuring XML profiles, refer to Chapter 11, Protecting XML-Based Applications.
2.
For the Parameter Type setting, select XML value.
The screen refreshes and displays the XML Profile tab.
3.
For the XML Profile setting, select a profile from the list. Alternately, click the Create button (+) next to XML Profile to configure a new profile.
4.
Click the Create button.
The screen refreshes and you see the parameter in the list.
5.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
When you configure a dynamic parameter, you also configure the extraction properties for the parameter values.The extraction properties define from where to extract the dynamic parameter values or name, and which method or methods to use for the extraction. When the Application Security Manager receives a request that contains a dynamic parameter, the system then uses the extraction properties to collect the parameter value or name from web applications response to the request. Once the system has extracted the dynamic parameter values, the Policy Enforcer knows what to enforce the next time a request contains the dynamic parameter.
Dynamic content value (DCV) parameters are those for which the web application sets the value on the server side. When you configure a DCV parameter in the Application Security Manager, the system verifies that the client is not changing the parameter value, as set by the server, from one request to the next. For example, in an auction application, the price parameter would be a DCV parameter, because you do not want users to tamper with the price value that the server sends to the client.
DCV parameters are often associated with web applications that use sessions. Each user of these applications has unique identifiers, and those identifiers may also change. As a result, the parameters within the web application that help identify the user have dynamic content values.
When you configure a DCV parameter, you also configure the extraction properties for the parameter values. The extraction properties specify the manner in which the Application Security Manager discovers and populates the values for the DCV parameter. By default, the system retains all of the values that it finds for a DCV parameter. In other words, the system does not replace the values it knows about when it extracts a new value.
2.
For the Parameter Type setting, select Dynamic content value.
3.
Click the Create button.
A popup screen opens.
4.
Click OK.
The Extraction Properties screen opens.
5.
Above the Extracted Items Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify from where you want the system to extract the dynamic parameter values. (See Viewing the list of extractions, for more information on this setting.)
6.
Above the Extraction Methods Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify the method or methods that you want the system to use to extract the dynamic parameter values. (See Understanding the extraction methods configuration, for more information on this setting.)
7.
Click the Create button to add the new parameter to the configuration.
8.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
Note: You should define the extractions for a DCV parameter before you apply the security policy that includes the parameters. If you do not, when you apply the security policy, the policy validator generates a warning that the security policy contains dynamic parameters that do not have extractions defined.
When you create an extraction for a dynamic parameter, one aspect of the extraction is configuring where, in the response, the system searches for the dynamic parameter. You can configure the system to extract the dynamic parameter values from object types, web objects, and by using pattern matching. Alternately, you can configure the system to extract dynamic parameter values from all items. Table 9.1 describes the extracted items settings.
Use this setting when you want the system to extract dynamic parameters from files of a certain type. Note that the available object types are those that are already a part of the security policy.
Use this setting when you want the system to extract dynamic parameters that match a regular expression pattern. Note that this setting is available only when you select Advanced (above the Extracted Items Configuration area).
Use this setting when you want the system to extract dynamic parameters from all text-based objects and object types. Note that this setting is available only when you select Advanced (above the Extracted Items Configuration area).
Another important aspect of the extraction configuration is defining how the system extracts the dynamic parameter, that is, the extraction method. Table 9.2 describes the extraction methods.
Use this setting when you want the system to extract dynamic parameter values from a specific frame or parameter within in a form. Note that this setting is available only when you select Advanced (above the Extraction Methods Configuration area).
Use this setting when you want the system to extract dynamic parameter values from within XML entities. Note that this setting is available only when you select Advanced (above the Extraction Methods Configuration area).
Use this setting when you want the system to extract dynamic parameter values from the body of a response. Note that this setting is available only when you select Advanced (above the Extraction Methods Configuration area).
In some web applications, DCV parameters also have dynamic names. You can use the parameter type, Dynamic parameter name, when you want the Policy Enforcer to enforce the dynamic names as well as dynamic values. Note that the Dynamic parameter name parameter type is applicable only when you are configuring a flow parameter.
When you configure a dynamic parameter name, you also configure the extraction properties. The extraction properties specify the manner in which the Application Security Manager discovers the parameter names.
2.
In the Create New Parameter area, for the Parameter Value Type setting, select Dynamic parameter name.
The screen refreshes, automatically generates a unique name in the Parameter Name setting, and displays the Dynamic Parameter Properties tab.
3.
On the Dynamic Parameter Properties tab, for the Extract Parameter from Object setting, specify the web object from which you want the system to extract the dynamic parameter.
If the parameter is located in a form, select Search Within Form, and specify the form index and parameter index.
If the parameter is located in the HTTP/S response, select Search parameters in response body (in form elements names only).
In the By Pattern box, type a regular expression that represents the parameter name pattern.
Clear the Check parameter value box if you do not want the system to enforce whether the parameter has a value.
5.
Click the Create button to add the new parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
When you create an extraction by using the Extractions screen, you have the option of associating it with an existing DCV parameter, or creating a new parameter (by typing a new name in step 6 of the following task). If you type a new name, the system automatically creates a new global DCV parameter, because extractions must be associated with a DCV parameter. They cannot exist independently.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
2.
On the menu bar, click Extractions.
The Extractions screen opens.
3.
Above the List of Extractions area, click the Create button.
The Extraction Properties screen opens.
4.
In the Extraction Properties area, for the Name setting, select an existing name, or type a new name in the box. Note that the existing name options are the names of dynamic content value parameters. If you type a new name, you are creating a new global parameter, by default.
5.
Above the Extract Items Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify from where you want the system to extract the dynamic parameter values. (See Understanding the extracted items configuration, for more information on this setting.)
6.
Above the Extract Methods Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify the method or methods that you want the system to use to extract the dynamic parameter values. (See Understanding the extraction methods configuration, for more information on this setting.)
7.
Click the Create button to add the new extraction to the configuration.
8.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
On the Extractions screen, you can review all of the parameter extractions that are configured in the security policy. You can also review the parameter extractions for a specific web object on the properties screen for that web object. See Configuring web objects, for more information on web object properties.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
2.
On the menu bar, click Extractions.
The Extractions screen opens, where you can view the extractions that are in the security policy.
For each security policy, there is a default character set for parameter names and parameter values. The default character sets correspond to the language encoding that you specified for the web application. The Policy Enforcer enforces the character set based on the state of the character or meta character: Allowed or Disallowed. You can change the enforcement state for the general character set, or within the context of a specific alpha-numeric user-input parameter. For alpha-numeric user-input parameters, you can also specify which characters or meta characters are enforced, as well as override the default state. For more information on configuring alpha-numeric user-input parameters, see Configuring an alpha-numeric user-input parameter
The parameter value character set controls the default characters and meta characters that are acceptable in a parameter value.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
2.
From the Character Sets menu, choose Parameter Value.
The Parameter Value Character Set screen opens.
4.
Use the Filter option to display the characters or meta characters that you want to view.
Allowed: Specifies that the character or meta character can occur in parameter values.
Disallowed: Specifies that the character or meta character can not occur in parameter values.
6.
Click the Save button to save any changes you may have made on this screen.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
8.
Click OK.
The system applies the updated security policy.
The parameter name character set controls the default characters and meta characters that are acceptable in a parameter name.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
2.
From the Character Sets menu, choose Parameter Name.
The Parameter Name Character Set screen opens.
4.
Use the Filter option to display the characters or meta characters that you want to view.
Allowed: Specifies that the character or meta character can occur in parameter values.
Disallowed: Specifies that the character or meta character can not occur in parameter values.
6.
Click the Save button to save any changes you may have made on this screen.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
8.
Click OK.
The system applies the updated security policy.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)