Applies To:

Show Versions Show Versions

Manual Chapter: Working with Parameters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

11 
Parameters are an integral entity in any web application. When you define parameters in a security policy, you are tightening the security for the web application. Application Security Manager evaluates defined parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. The Security Enforcer verifies parameters in the context of a security policy. In other words, any parameters that you configure in a security policy are enforced only by that security policy.
You can define parameters as global parameters, URL parameters, and flow parameters. For information on configuring global parameters, see Working with global parameters. For information on configuring URL parameters, see Working with URL parameters. For information on configuring flow parameters, see Working with flow parameters.
There are several types of parameters that you can configure: static content, dynamic content, dynamic name, and user-input. You can also configure parameters for which the system does not check or verify the value. With the exception of dynamic parameter names, you can configure a global, URL, or flow parameter as any parameter type. The dynamic parameter name type is applicable only to flow parameters. Refer to Understanding parameter types for more information.
Important: This chapter discusses configuring explicit parameters. In Application Security Manager, you can also configure wildcard parameters. Refer to Chapter 10, Working with Wildcard Entities, for more information.
If a parameter is defined more than once in the request context, the Security Enforcer applies only the more specific definition. For example, the parameter param_1 is defined as a static content global parameter, and also defined as a user-input URL parameter. When the Application Security Manager receives a request for the parameter in a URL and the parameter is defined on both the global and URL level, the Security Enforcer generates any violations based on the global parameter definition.
When a web application has a parameter that you do not want to define in the context of a URL or a flow, you can define a global parameter. Global parameters are those that do not have an association with a specific URL or application flow. Therefore, you can configure a global parameter once, and the Security Enforcer enforces the parameter wherever it occurs.
You are configuring a security policy that uses the basic level of security, and you want the Application Security Manager to enforce a specific set of parameters.
1.
3.
Above the Parameters List area, click the Create button.
The New Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Global Parameter.
7.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter types, for information on the parameter types options.
8.
Click the Create button to add the new global parameter to the security policy.
9.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
There may be times when you need to update the characteristics of a global parameter. This is easily done by editing the parameter properties.
1.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
1.
3.
In the Parameters List area, in the Select column (far left), check the box next to the global parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
You define parameters in the context of a URL when a parameter is relevant to that particular URL, and you do not want the system to also verify the URLs associated flows. That is, you define a URL parameter when it does not matter where the user was before they access this URL, and when it does not matter whether the parameter was in a GET or POST request. When you define a URL parameter, the Security Enforcer applies the security policy to the parameter attributes in the context of the associated URL, and ignores the flow information.
When you create a parameter that is associated with a URL, the Security Enforcer verifies the parameter in the context of the URL.
Important: The following task assumes that the URL for which you want to create a parameter is already configured in the security policy. If this is not the case, refer to Configuring URLs, for information on adding a URL to the configuration.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The New Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select URL Parameter.
The screen refreshes and displays the URL Path setting.
For the URL Path setting, select a protocol from the list, and then type the URL name in this format:
7.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter types, for information on the parameter types options.
8.
Click the Create button to add the new URL parameter to the security policy.
9.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
There may be times when you need to update the characteristics of a URL parameter. This is easily done by editing the parameter properties.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
Web applications can change over time, and there may be occasions when you need to delete a parameter from the security policy.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Select column (far left), check the box next to the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
You define parameters in the context of a flow when it is important to enforce that a target URL receives a parameter from a specific referrer URL. Defining a parameter in the context of a flow is the most specific context, and thus provides the tightest security for the web application.
When you create a parameter that is associated with a flow, the Security Enforcer verifies the parameter in the context of the flow (see Configuring flows, for more information). For example, if you define a parameter in the context of a GET request, and a client sends a POST request that contains the parameter, the Security Enforcer generates an Illegal Parameter violation.
You can define flow parameters for very tight, flow-specific security. With this increased protection comes an increase in maintenance and configuration time. Note that if your web application uses dynamic parameters, you manually add those to the security policy.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The New Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Flow Parameter.
The screen refreshes and displays flow detail settings.
For the From URL setting, select whether the source URL in the flow is an entry point or a referrer URL (the referrer URL must already be defined in the policy).
For the Method setting, if you specified a referrer URL for the From URL setting, select the HTTP method that applies to the target URL (the referrer URL must already be defined in the policy).
For the To URL setting, if you specified a referrer URL for the From URL setting, specify the target URL.
6.
If the parameter is required in the context of the flow, check the Is Mandatory Parameter setting. Note that only flows can have mandatory parameters. (See Configuring the Is Mandatory Parameter setting, for more information.)
8.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter types, for information on the parameter types options.
9.
Click the Create button to add the new flow parameter to the security policy.
10.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
There may be times when you need to update the characteristics of a flow parameter. This is easily done by editing the parameter properties.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Select column (far left), check the box next to the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
Parameter characteristics define the individual attributes of the parameter. The parameter characteristics change depending on the type of parameter that you specify.
When you add a parameter to the security policy, you specify the parameter type. The Security Enforcer then knows in what form to expect the parameter value, and applies the security policy accordingly. If a parameter is not among configured values, an illegal static parameter value violation is generated by the Application Security Manager.
You can configure global parameters, URL parameters, and flow parameters as any parameter type, with the exception of the dynamic parameter name type. You can configure only flow parameters as this type.
Ignore value
If you do not want the Security Enforcer to perform checks on the parameter value, then use this parameter value type.
Static content value
Static parameters are those that have a known set of values. A list of country names, or a yes/no form field are both examples of static parameters. For information on configuring static parameters, see Configuring parameter characteristics for static parameters.
User-input value
User-input parameters are those that require users to enter or provide some sort of data. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range for values, or has many static values, you may want to configure the parameter as a user-input parameter instead of a static content parameter. For information on configuring user-input parameters, see Configuring parameter characteristics for user-input parameters.
XML value
XML parameters are those whose parameter value contains XML data. For information on configuring XML parameters, see Associating an XML profile with a parameter.
Dynamic content value
Dynamic parameters are those whose set of values can change, and are often linked to a user session. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions. For information on configuring DCV parameters, see Configuring dynamic content value parameters.
Dynamic parameter name
Some dynamic parameters have dynamic names as well as dynamic values. If you want the Security Enforcer to enforce dynamic names as well as dynamic values, then you can use this parameter type. For information on configuring dynamic parameter names, see Configuring parameter characteristics for dynamic parameter names.
Configuring parameters for a web application can be a lengthy and arduous task. While you can do this manually, as explained throughout the remainder of this chapter, you can also use the Policy Builder and the Learning process to help you discover the parameters and values that are part of your web application. See Chapter 6, Building a Security Policy Automatically with the Policy Builder, and Chapter 14, Refining the Security Policy Using Learning, for more information on these tools.
Static parameters are parameters whose possible values is a known set. For example, the credit card type parameter, for payment in a shopping application, may have the value set of Mastercard®, Visa®, and American Express®. When you configure the static parameter characteristics, you are basically creating the value set for the parameter.
2.
For the Parameter Type setting, select Static content value.
The screen refreshes and displays the Parameter Static Values tab.
3.
On the Parameter Static Values tab, for the New Static Value setting, type the new value in the Add box.
4.
Click the Add button to add the value to the values list.
6.
Click the Create button to save the parameter in the configuration.
7.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
User-input parameters are those for which a user can provide a value. For user-input parameters, you can configure the Application Security Manager to verify minimum and maximum values, minimum and maximum lengths, and valid meta characters. The system can also check for attack patterns within the parameter name and value.
User-input parameters can accept many different data types. The data types are: alpha-numeric, binary, decimal, email, integer, and phone. Depending on the data type that you configure, there are additional options that the Security Enforcer can verify, as noted in the following sections.
Tip: You can configure any parameter as a user-input parameter if you want the system to apply a broader verification to the parameter values, such as minimum and maximum value or maximum length.
The alpha-numeric data type specifies that the parameter value can have letters, integers, and the underscore character in it. For this data type, you can specify a maximum length, and you can define the acceptable parameter values as a regular expression. You can also specify one or more meta characters (in addition to the base character set of a-z, A-Z, 0-9), and one or more regular expressions, that are acceptable within the context of the parameter.
Note: If you enable regular expressions for an alpha-numeric parameter, the system may automatically enable certain meta characters (in the Allowed Meta Characters list) that are part of the regular expressions, even if you have not explicitly enabled meta characters for the parameter. This will result in a mismatch that generates a Parameter value does not comply with regular expression violation.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Alpha-Numeric.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
If you want the Security Enforcer to enforce the parameter value using pattern matching, check the Regular Expression box, and type a regular expression. Note that when you enable this setting, the only values that are acceptable for the parameter are those that exactly match the regular expression pattern that you provide. All other values are considered illegal in the context of this parameter.
4.
If you want to make certain meta characters valid, or not valid, as part of the parameter value, click the Value Meta Characters tab.
The screen refreshes, and displays the meta characters that are available or assigned to this parameter.
From the Global Security Policy Settings list, select any meta characters that you want to assign to the parameter value, and click the Move button (<<) to add them to the Overridden Security Policy Settings list.
The screen refreshes, and displays the meta characters and the default state for each.
In the Overridden Security Policy Settings list, change the meta character state as required.
Select Allowed when the meta character can be in the parameter value.
Select Disallowed when the meta character cannot be in the parameter value, and may trigger the Illegal meta character in parameter value violation.
5.
If you want to make certain known attack patterns valid, or not valid, as part of the parameter value, click the Attack Signatures tab.
The screen refreshes, and displays the attack patterns that are available or assigned to this parameter.
From the Global Security Policy Settings list, select any attack signatures that you want to assign to the parameter value, and click the Move button (<<) to add them to the Overridden Security Policy Settings list.
The screen refreshes, and displays the attack signatures and the default state for each.
In the Overridden Security Policy Settings list, change the attack signature state as required. Note that the state that you select may override the state that is assigned at the attack signature set level.
Select Disabled when the parameter value can match the attack signature.
Select Enabled when the parameter value cannot match the attack signature.
6.
Click the Create button to add the parameter to the configuration.
7.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The binary data type specifies that the parameter value is text for which the system does not verify meta characters or attack. Typically, you use this data type for binary file uploads. Note that for this data type, you specify only a maximum length.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Binary (Length checks only).
4.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The decimal data type specifies that the parameter value is numeric, and can include integers and decimals only. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Decimal.
4.
If you want the Security Enforcer to enforce a minimum value for the parameter value, check the Check Minimum Value box, and type a number.
5.
If you want the Security Enforcer to enforce a maximum value for the parameter value, check the Check Maximum Value box, and type a number.
6.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
7.
Click the Create button to add the parameter to the configuration.
8.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The email data type specifies that the parameter value is in the email address format. Values for this data type can include letters, numbers, the at meta character (@), the period (.) character, and the underscore (_) character. For this data type you can specify only a maximum length.
Note: We recommend that you use the email data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab, and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Email.
4.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The integer data type specifies that the parameter value is numeric, and can include only whole numbers. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab,and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Integer.
4.
If you want the Security Enforcer to enforce a minimum value for the parameter value, check the Check Min. Value box, and type a number.
5.
If you want the Security Enforcer to enforce a maximum value for the parameter value, check the Check Max. Value box, and type a number.
6.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
7.
Click the Create button to add the parameter to the configuration.
8.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The phone data type specifies that the parameter value is in the phone number format. Values for this data type can include numbers, the hyphen meta character (-), and the parentheses meta characters [( )]. For this data type you can specify only a maximum length.
Note: We recommend that you use the phone data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Type setting, select User-input value.
The screen refreshes and displays the Data Type tab, the Value Meta Characters tab,and the Attack Signatures tab.
3.
On the Data Type tab, for the Data Type setting, select Phone.
4.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The Allow Empty Value setting specifies whether the Security Enforcer expects the parameter to have a defined value. When this setting is enabled on a parameter, the Security Enforcer does not generate an Illegal empty parameter value alert if a client request does not provide a value. Conversely, if the Allow Empty Value setting is disabled (which is the default setting), the system generates the Illegal empty parameter value alert if a client request does not provide a value. The Allow Empty Value setting is applicable to global parameters, URL parameters, and flow parameters.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
For the Allow Empty Parameter setting, check or clear the check box as required.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
The Is Mandatory Parameter setting specifies whether a parameter must be present in a flow. You can configure the Is Mandatory Parameter setting either from the Flow Properties screen of the associated flow, or from the Flow Parameter Properties screen. To change the Is Mandatory Parameter setting from the Flow Parameter Properties screen, refer to Editing the properties of a flow parameter. Use the following procedure to change the Is Mandatory Parameter setting from the Flow Properties screen of the associated flow.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
For the Is Mandatory Parameter setting, check or clear the check box as required.
5.
When you have finished, click Update.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
XML parameters contain XML data in the parameter value. To perform checks on the XML data, you associate an XML profile with the XML parameter. For details on configuring XML profiles, refer to Chapter 13, Protecting XML-Based Applications.
2.
For the Parameter Type setting, select XML value.
The screen refreshes and displays the XML Profile tab.
3.
For the XML Profile setting, select a profile from the list. Alternately, click the Create button (+) next to XML Profile to configure a new profile.
4.
Click the Create button.
The screen refreshes and you see the parameter in the list.
5.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
When you configure a dynamic parameter, you also configure the extraction properties for the parameter values. The extraction properties define from where to extract the dynamic parameter values or name, and which method or methods to use for the extraction. When the Application Security Manager receives a request that contains an entity (for example, a file extension or URL) containing a dynamic parameter, the system uses the extraction properties to collect the parameter value or name from web applications response to the request. Once the system has extracted the dynamic parameter values, the Security Enforcer knows what to enforce the next time a request contains the dynamic parameter.
Dynamic content value (DCV) parameters are those for which the web application sets the value on the server side. When you configure a DCV parameter in the Application Security Manager, the system verifies that the client is not changing the parameter value, as set by the server, from one request to the next. For example, in an auction application, the price parameter would be a DCV parameter, because you do not want users to tamper with the price value that the server sends to the client.
DCV parameters are often associated with web applications that use sessions. Each user of these applications has unique identifiers, and those identifiers may also change. As a result, the parameters within the web application that help identify the user have dynamic content values. As an example, user identity is often passed between pages as a hidden parameter, which is very likely to be exploited by malicious users.
When you configure a DCV parameter, you also configure the extraction properties for the parameter values. The extraction properties specify the manner in which the Application Security Manager discovers and populates the values for the DCV parameter.
By default, the system retains all of the values that it finds for a DCV parameter unless the number of values exceeds 950. When that is the case, the Application Security Manager replaces the first-extracted values with new values. When there are fewer than 950 values, the system does not replace the values it knows about when it extracts a new value.
2.
For the Parameter Type setting, select Dynamic content value.
3.
Click the Create button.
A popup screen opens.
4.
Click OK.
The Extraction Properties screen opens.
5.
Above the Extracted Items Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify from where you want the system to extract the dynamic parameter values. (See Working with the parameter character sets, for more information on this setting.)
6.
Above the Extraction Methods Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify the method or methods that you want the system to use to extract the dynamic parameter values. (See Understanding the extraction methods configuration, for more information on this setting.)
7.
Click the Create button to add the new parameter to the configuration.
8.
Click the Update button to update the policy.
9.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
Note: You should define the extractions for a DCV parameter before you apply the security policy that includes the parameters. If you do not, when you apply the security policy, the policy validator generates a warning that the security policy contains dynamic parameters that do not have extractions defined.
When you create an extraction for a dynamic parameter, one aspect of the extraction is configuring where, in the responses of request objects, the system searches for the dynamic parameter. You can configure the system to extract the dynamic parameter values from file types, URLs, and by using pattern matching. Alternately, you can configure the system to extract dynamic parameter values from all items. Table 11.1 describes the extracted items settings.
Use this setting when you want the system to extract dynamic parameters from files of a certain type. Note that the available file types are those that are already a part of the security policy.
Use this setting when you want the system to extract dynamic parameters that match a regular expression pattern. Note that this setting is available only when you select Advanced (above the Extracted Items Configuration area).
Use this setting when you want the system to extract dynamic parameters from all text-based URLs and file types. Note that this setting is available only when you select Advanced (above the Extracted Items Configuration area).
Another important aspect of the extraction configuration is defining how the system extracts the dynamic parameter, that is, the extraction method. Table 11.2 describes the extraction methods.
Use this setting when you want the system to extract dynamic parameter values from links (href tags) within the server response to a URL.
Use this setting when you want the system to extract dynamic parameter values from all parameters in all forms in the HTML response to a requested URL.
Use this setting when you want the system to extract dynamic parameter values from a specific parameter within in a form. Note that this setting is available only when you select Advanced (above the Extraction Methods Configuration area).
Use this setting when you want the system to extract dynamic parameter values from within XML entities. Note that this setting is available only when you select Advanced (above the Extraction Methods Configuration area).
Use this setting when you want to specify where in the response the system is to search dynamic parameter values for extraction. Note that this setting is available only when you select Advanced (above the Extraction Methods Configuration area).
On the Extractions screen, you can review all of the parameter extractions that are configured in the security policy. You can also review the parameter extractions for a specific URL on the properties screen for that URL. See Configuring URLs, for more information on URL properties.
1.
2.
On the menu bar, click Extractions.
The Extractions screen opens, where you can view the extractions that are in the security policy.
In some web applications, DCV parameters also have dynamic names. You can use the parameter type, Dynamic parameter name, when you want the Security Enforcer to enforce the dynamic names as well as dynamic values. Note that the Dynamic parameter name parameter type is applicable only when you are configuring a flow parameter.
When you configure a dynamic parameter name, you also configure the extraction properties. The extraction properties specify the manner in which the Application Security Manager discovers the parameter names.
2.
In the Create New Parameter area, for the Parameter Value Type setting, select Dynamic parameter name.
The screen refreshes, automatically generates a unique name in the Parameter Name setting, and displays the Dynamic Parameter Properties tab.
3.
On the Dynamic Parameter Properties tab, for the Extract Parameter from URL setting, specify the URL from which you want the system to extract the dynamic parameter.
If the parameter is located in a form, select Search Within Form, and specify the form index and parameter index.
If the parameter is located in the HTTP/S response, select Search parameters in response body (in form elements names only).
In the By Pattern box, type a regular expression that represents the parameter name pattern.
Clear the Check parameter value box if you do not want the system to enforce whether the parameter has a value.
5.
Click the Create button to add the new parameter to the configuration.
6.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
For each security policy, there is a default character set for parameter names and parameter values. The default character sets correspond to the language encoding that you specified for the web application. The Security Enforcer enforces the character set based on the state of the character or meta character: Allowed or Disallowed. You can change the enforcement state for the general character set, or within the context of a specific alpha-numeric user-input parameter. For alpha-numeric user-input parameters, you can also specify which characters or meta characters are enforced, as well as override the default state. For more information on configuring alpha-numeric user-input parameters, see Configuring an alpha-numeric user-input parameter.
Important: Because the character set for parameters does not contain the Null character, the system considers a parameter value that contains a Null character to be disallowed.
The parameter value character set controls the default characters and meta characters that are acceptable in a parameter value.
1.
2.
From the Character Sets menu, choose Parameter Value.
The Parameter Value Character Set screen opens.
4.
Use the Filter option to display the characters or meta characters that you want to view.
Allowed: Specifies that the character or meta character can occur in parameter values.
Disallowed: Specifies that the character or meta character can not occur in parameter values.
6.
Click the Save button to save any changes you may have made on this screen.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
8.
Click OK.
The system applies the updated security policy.
The parameter name character set controls the default characters and meta characters that are acceptable in a parameter name.
1.
On the Main tab of the Application Security navigation pane, expand Application Security and then click Parameters.
The Parameters List screen opens.
2.
From the Character Sets menu, choose Parameter Name.
The Parameter Name Character Set screen opens.
4.
Use the Filter option to display the characters or meta characters that you want to view.
Allowed: Specifies that the character or meta character can occur in parameter values.
Disallowed: Specifies that the character or meta character can not occur in parameter values.
6.
Click the Save button to save any changes you may have made on this screen.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
8.
Click OK.
The system applies the updated security policy.
The Application Security Manager stores incoming requests in plain text format. Some requests may include sensitive data, such as a password or a credit card number, that you may not want the system to store once the request has been processed. You can avoid storing any sensitive data as plain text by adding the names of the input fields to the Sensitive Parameters property. The system then replaces the sensitive data, in the stored request, with a series of Xs.
Configuring a sensitive parameter affects only how the Application Security Manager stores and displays information in requests and responses. It does not affect the requests or responses sent to the web application or the client.
Note: The Application Security Manager automatically creates a sensitive parameter called password for every new security policy.
1.
2.
On the menu bar, click Sensitive Parameters.
The Sensitive Parameters screen opens.
4.
Above the Sensitive Parameters section, click the Create button.
The New Sensitive Parameter screen opens.
5.
In the Parameter box, type the name of the user-input parameter, exactly as it occurs in the HTTP request, for which you do not want the system to store the actual value. In the following example, account is the sensitive parameter:
6.
Click Create.
The screen closes, and you can see the newly-created sensitive parameter in the Sensitive Parameters list.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
In addition to creating sensitive parameters, you can also edit or delete existing sensitive parameters, as required by changes in the web application. Simply check the box next to an existing sensitive parameter, and click either the Edit or Delete button below the Sensitive Parameters section.
If you want the security policy to differentiate between pages in the web application that are generated by requests with the same URL name but with different parameter and value pairs, and to build the appropriate flows, you need to specify the exact names of the parameters that triggered the creation of theses pages in the web application. These parameters are known as navigation parameters.
1.
2.
On the menu bar, click Navigation Parameters.
The Navigation Parameters screen opens.
4.
Above the Navigation Parameters area, click the Create button.
The Create New Navigation Parameter popup screen opens.
6.
Alternatively, if the navigation parameter applies to only one page in the web application, select URL Path, and type a URL.
7.
In the Navigation Parameter box, type the name of the parameter passed to the web server for page-building purposes.
8.
Click OK.
The screen closes, and on the Navigation Parameters screen, you can see the new navigation parameter.
9.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
In addition to creating navigation parameters, you can also edit or delete existing navigation parameters, as required by changes in the web application. Simply check the box next to an existing navigation parameter, and click either the Edit or Delete button below the Navigation Parameters section.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)