Applies To:

Show Versions Show Versions

Manual Chapter: Working with Parameters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

10 
Parameters are an integral entity in any web application. When you define wildcard or explicit parameters in a security policy, you are increasing the security of the web application. Application Security ManagerTM evaluates defined parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. The Security Enforcer verifies the parameters that you configure in a security policy.
You can define parameters as global parameters, URL parameters, and flow parameters. For information on configuring global parameters, see Working with global parameters. For information on configuring URL parameters, see Working with URL parameters. For information on configuring flow parameters, see Working with flow parameters.
You can create parameters containing different value types: static content, dynamic content, dynamic name, user-input, or XML value. You can also create parameters for which the system does not check or verify the value. You can configure a global, URL, or flow parameter as any value type with the exception of dynamic parameter names. With the exception of dynamic parameter names, y. The dynamic parameter name type is available only for flow parameters. Refer to Understanding parameter value types, for more information.
When you create any type of parameter, the system automatically places the parameter in staging and does not block requests even if a violation occurs and the system is configured to block that violation. The system makes learning suggestions that you can accept or clear (see Chapter 13, Refining the Security Policy Using Learning). If you create wildcard parameters, you also have the option of enabling tightening.
This chapter discusses configuring explicit parameters. In Application Security Manager, you can also use wildcards for parameters. Refer to Configuring wildcard parameters, for more information.
If a parameter is defined more than once in the request context, the Security Enforcer applies only the more specific definition. For example, the parameter param_1 is defined as a static content global parameter, and also defined as a user-input URL parameter. When the Application Security Manager receives a request for the parameter in a URL and the parameter is defined on both the global and URL level, the Security Enforcer generates any violations based on the URL parameter definition.
Global parameters are those that do not have an association with a specific URL or application flow. The advantage of using global parameters is that you can configure a global parameter once, and the Security Enforcer enforces the parameter wherever it occurs.
When you first create a global parameter, the system automatically places the parameter in staging and does not block requests even if a violation occurs and the system is configured to block violation. The system makes learning suggestions that you can accept or clear (see Chapter 13, Refining the Security Policy Using Learning). If you create wildcard global parameters, you also have the option of enabling tightening.
You want the Application Security Manager to enforce the same parameter attributes across all parameters.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The Add Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a unique parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Global Parameter.
7.
If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, clear the Perform Staging box, and then check the Perform Tightening box.
Note: F5 Networks recommends against using both tightening and staging at the same time on the same wildcard entity.
9.
To allow users to send a request that contains multiple parameters with the same name, check the Allow Repeated Occurrences box. The default setting is disabled.
10.
If you want to treat the parameter you are creating as a sensitive parameter (not visible in logs or the user interface), check Sensitive Parameter.
11.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter value types, for information on parameter types and additional settings that are associated with them.
12.
Click the Create button to add the new global parameter to the security policy.
The screen refreshes, and displays the new global parameter.
13.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
At times, you may want to update the characteristics of a global parameter. This is easily done by editing the parameter properties.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, check the box next to the global parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
You define parameters in the context of a URL when a parameter is relevant to that particular URL, and you do not want the system to also verify the URLs associated flows. That is, you can use a URL parameter when it does not matter where users were before they access this URL or whether the parameter was in a GET or POST request.
Defining a parameter as a URL parameter allows you to control one or all of the parameters associated with that URL, and allows users to create exceptions, if needed, to wildcard or other global definitions. When you define a URL parameter, the Security Enforcer applies the security policy to the parameter attributes in the context of the associated URL, and ignores the flow information.
Note that when you first create a URL parameter, the system places the parameter in staging by default and does not block requests even if a violation occurs and the system is configured to block the violation. The system makes learning suggestions that you can accept or clear (see Chapter 13, Refining the Security Policy Using Learning). If you create wildcard URL parameters, you also have the option of enabling tightening.
When you create a parameter that is associated with a URL, the Security Enforcer verifies the parameter in the context of the URL.
Note: The prerequisite for this task is that the security policy already includes the URL for which you want to add a parameter. If the security policy does not yet include the URL, refer to Configuring URLs, for information on adding a URL to the configuration.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The Add Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a unique parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select URL Parameter.
The screen refreshes and displays the URL Path option.
For the URL Path option, select a protocol from the list, and then type the URL in this format:
7.
If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, clear the Perform Staging box, and then check the Perform Tightening box.
Note: F5 Networks recommends against using both tightening and staging at the same time on the same wildcard entity.
9.
To allow users to send a request that contains multiple parameters with the same name, check the Allow Repeated Occurrences box. The default setting is disabled.
10.
If you want to treat the parameter you are creating as a sensitive parameter (not visible in logs or the user interface), check Sensitive Parameter.
11.
For the Parameter Value Type setting, select the format for the parameter value.
Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter value types, for information on parameter types and additional settings that are associated with them.
12.
Click the Create button to add the new URL parameter to the security policy.
The screen refreshes, and displays the new URL parameter.
13.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Web applications can change over time, and there may be occasions when you want to delete a parameter from the security policy.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, check the box next to the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
You define parameters in the context of a flow when it is important to enforce that a target URL receives a parameter from a specific referrer URL. Defining a parameter in the context of a flow is the most specific context, and thus provides the tightest definition for the web application.
When you first create a flow parameter, the system automatically places the parameter in staging and does not block requests even if a violation occurs and the system is configured to block the violation. The system makes learning suggestions that you can accept or clear (see Chapter 13, Refining the Security Policy Using Learning). If you create wildcard flow parameters, you also have the option of enabling tightening.
When you create a parameter that is associated with a flow, the Security Enforcer verifies the parameter in the context of the flow (see Configuring flows, for more information). For example, if you define a parameter in the context of a GET request, and a client sends a POST request that contains the parameter, the Security Enforcer generates an Illegal Parameter violation.
You can define flow parameters for very tight, flow-specific security. With this increased protection comes an increase in maintenance and configuration time. Note that if your web application uses dynamic parameters, you manually add those to the security policy.
The following task starts after the flow for which you want to create a parameter is configured. If the security policy does not include the flow, refer to Configuring flows, for information on adding a flow to the configuration.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
Above the Parameters List area, click the Create button.
The Add Parameter screen opens.
4.
In the Create New Parameter area, for the Parameter Name setting, select an option:
If you select Explicit, then in the box, type a unique parameter name.
If you select Wildcard, then in the box, type a pattern string that represents the parameter names. See Configuring wildcard parameters, for more information.
If you select No Name, the system creates a parameter with the label, UNNAMED.
5.
For the Parameter Level setting, select Flow Parameter.
The screen refreshes and displays flow detail settings.
6.
For the From URL setting:
If the source URL is a referrer URL (the referrer URL must already be defined in the policy), click URL Path, select the protocol used to request the URL, then type the referrer URL associated with the flow.
7.
For the Method setting, select the HTTP method that applies to the target URL (the referrer URL must already be defined in the policy).
8.
For the To URL setting, if you specified a referrer URL for the From URL setting, specify the target URL.
10.
If you are creating a wildcard parameter and you want the system to display explicit parameters that match the wildcard entity pattern that you specify, clear the Perform Staging box, and then check the Perform Tightening box.
Note: F5 Networks recommends against using both tightening and staging at the same time on the same wildcard entity.
11.
If the parameter is required in the context of the flow, check the Is Mandatory Parameter setting. Note that only flows can have mandatory parameters. (See Allowing multiple occurrences of a parameter in a request, for more information.)
13.
To allow users to send a request that contains multiple parameters with the same name, check the Allow Repeated Occurrences box. The default setting is disabled.
14.
If you want to treat the parameter you are creating as a sensitive parameter (not visible in logs or the user interface), check Sensitive Parameter.
15.
For the Parameter Value Type setting, select the format for the parameter value. Depending on the value type you select, the screen refreshes to display additional configuration options. See Understanding parameter value types, for information on parameter types and additional settings that are associated with them.
16.
Click the Create button to add the new flow parameter to the security policy.
The screen refreshes, and displays the new flow parameter.
17.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
At times, you may want to update the characteristics of a flow parameter. This is easily done by editing the parameter properties.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Select column (far left), check the box next to the parameter that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system deletes the parameter.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Parameter characteristics define the individual attributes of the parameter. The parameter characteristics change depending on the type of parameter that you specify.
When you add a parameter to the security policy, you specify the parameter value type. The Security Enforcer then knows in what form to expect the parameter value, and applies the security policy accordingly.
You can configure global parameters, URL parameters, and flow parameters as any parameter type, except the dynamic parameter name type. You can configure only flow parameters as dynamic parameter names.
Ignore value
If you do not want the system to perform checks on the parameter value, use this parameter value type.
Static content value
Static parameters are those that have a known set of values. A list of country names or a yes/no form field are both examples of static parameters. If you select this type, you add or remove static values for the parameter. For information on configuring static parameters, see Configuring static parameters.
Dynamic content value
Dynamic parameters are those whose set of values can change, and are often linked to a user session. When you create a new parameter of this type, you are prompted to define dynamic parameter extraction properties. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions. For information on configuring DCV parameters, see Configuring dynamic content value parameters.
Dynamic parameter name
Some flow parameters have names that change dynamically. If so, you can use this parameter type. If you select this type, you also need to specify the URL from which the system should extract dynamic parameter name parameters. For information on configuring dynamic parameter names, see Configuring parameter characteristics for dynamic parameter names.
User-input value
User-input parameters are those that require users to enter or provide some sort of data. This is the most commonly used parameter value type. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range of values or many static values, you may want to configure the parameter as a user-input parameter instead of a static content parameter. For information on configuring user-input parameters, see Configuring parameter characteristics for user-input parameters.
XML value
XML parameters are those whose parameter value contains XML data. For information on configuring XML parameters, see Associating an XML profile with a parameter.
Static parameters are parameters that can contain values from a specific set. For example, a credit card type parameter, for payment in a shopping application, may have the value set of MasterCard®, Visa®, and American Express®. When you configure static parameters, you are basically creating a value set for the parameter.
2.
For the Parameter Value Type setting, select Static content value.
The screen refreshes and displays the Parameter Static Values area.
3.
In the Parameter Static Values area, in the New Static Value box, type a value for the parameter.
4.
Click the Add button to add the value to the Parameter Static Values list.
6.
Click the Create button to save the parameter in the configuration.
7.
In the editing context area, click the Apply Policy button to immediately put the security policy changes into effect.
User-input parameters are those for which the user can provide a value. For user-input parameters, you can configure the Application Security Manager to verify minimum and maximum values, minimum and maximum lengths, and valid meta characters. It is particularly useful to configure a parameter as a user-input parameter if you want the system to verify parameter values using broad validations, such as minimum and maximum value or maximum length.
By default, the system checks for attack patterns within all user-input alpha-numeric parameters. For each parameter, you can enable or disable a specific attack signature.
User-input parameters can accept many different data types. The data types are: alpha-numeric, binary, decimal, email, integer, and phone. Depending on the data type that you configure, the system can verify additional options, as noted in the following sections.
The alpha-numeric data type specifies that the parameter value can have letters, integers, and the underscore character in it. For this data type, you can specify a maximum length, and you can define the acceptable parameter values as a regular expression. You can also specify one or more meta characters (in addition to the base character set of a-z, A-Z, 0-9), and one or more regular expressions, that are acceptable within the context of the parameter.
Note: If you enable regular expressions for an alpha-numeric parameter, it results in a mismatch that generates a Parameter value does not comply with regular expression violation.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, use the default value, Alpha-Numeric.
To enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
To enforce the parameter value using pattern matching, check the Regular Expression box, and type a regular expression.
Note: When you enable this setting, the only values acceptable for the parameter are those that exactly match the regular expression pattern that you provide. All other values are considered illegal for this parameter.
4.
If you want to make certain meta characters valid, or not valid, as part of the parameter value (and override the global meta character settings), click Value Meta Characters.
Make sure that the Check characters on this parameter check box is checked.
The screen displays the global and overridden meta character settings for this parameter.
From the Global Security Policy Settings list, select any meta characters that you want to assign to the parameter value, and click the Move button (<<) to add them to the Overridden Security Policy Settings list.
The screen displays the meta characters and the default state for each.
In the Overridden Security Policy Settings list, change the meta character state as required.
Select Allowed when the meta character can be in the parameter value.
Select Disallowed when the meta character cannot be in the parameter value, and may trigger the Illegal meta character in parameter value violation.
5.
If you want to make certain known attack patterns valid, or not valid, as part of the parameter value, click Attack Signatures.
Make sure that the Check attack signatures on this parameter check box is checked.
The screen displays the attack signature settings that are available or assigned to this parameter.
From the Global Security Policy Settings list, select any attack signatures that you want to assign to the parameter value, and click the Move button (<<) to add them to the Overridden Security Policy Settings list.
The screen displays the attack signatures and the default state for each.
In the Overridden Security Policy Settings list, change the attack signature state as required. Note that the state that you select may override the state that is assigned at the attack signature set level.
Select Disabled when the parameter value can match the attack signature.
Select Enabled when the parameter value cannot match the attack signature.
6.
Click the Create button to add the parameter to the configuration.
7.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The binary data type specifies that the parameter value is data for which the system does not verify meta characters or attack. Typically, you use this data type for binary file uploads. Note that for this data type, you specify only a maximum length.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Binary (Length checks only).
4.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The decimal data type specifies that the parameter value is numeric, and can include integers and decimals only. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Decimal.
4.
If you want to enforce a minimum value for the parameter, check the Check Minimum Value box, and type a number.
5.
If you want to enforce a maximum value for the parameter value, check the Check Maximum Value box, and type a number.
6.
If you want to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
7.
Click the Create button to add the parameter to the configuration.
8.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The email data type specifies that the parameter value is in the email address format. Values for this data type can include letters, numbers, the at meta character (@), the period (.) character, and the underscore (_) character. For this data type you can specify only a maximum length.
Note: F5 Networks recommends that you use the email data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Email.
4.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The integer data type specifies that the parameter value is numeric, and can include only whole numbers. For this data type, you can specify a minimum value, a maximum value, and a maximum length.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Integer.
4.
If you want the Security Enforcer to enforce a minimum value for the parameter value, check the Check Minimum Value box, and type a number.
5.
If you want the Security Enforcer to enforce a maximum value for the parameter value, check the Check Maximum Value box, and type a number.
6.
If you want the Security Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
7.
Click the Create button to add the parameter to the configuration.
8.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The phone data type specifies that the parameter value is in the phone number format. Values for this data type can include numbers, the hyphen meta character (-), and the parentheses meta characters [( )]. For this data type you can specify only a maximum length.
Note: F5 Networks recommends that you use the phone data type only if the web application has client-side data validation for the parameter.
2.
For the Parameter Value Type setting, use the default value, User-input value.
3.
For the Data Type setting, select Phone.
4.
If you want to enforce a maximum length (number of bytes) for the parameter value, check the Check Maximum Length box, and type a number.
5.
Click the Create button to add the parameter to the configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The Allow Empty Value setting specifies whether the system expects the parameter to have a defined value. When this setting is enabled on a parameter (which is the default setting), the system does not generate an Illegal empty parameter value alert if a client request does not provide a value. Conversely, if the Allow Empty Value setting is disabled, the system generates the Illegal empty parameter value alert if a client request does not provide a value. The Allow Empty Value setting is applicable to global parameters, URL parameters, and flow parameters.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
For the Allow Empty Value setting, check or clear the check box as required.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
By sending several occurrences of the same parameter in a single request, an attacker can cause unexpected behavior on an application server. This type of attack, called HTTP parameter pollution, can be used for web application firewall evasion (and can allow smuggling attacks through intrusion prevention signature matching engines).
Since most web applications do not expect parameters to appear several times in requests, such behavior is not allowed, by default. Therefore, when a request contains multiple occurrences of the same parameter, the system generates an Illegal repeated parameter name violation (if that violation is set to Alarm or Block). If the violation occurs, the system provides a learning suggestion that you can review to decide whether to allow repeated occurrences of the parameter. You can also enable the Allow Repeated Occurrences setting by editing parameter properties.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the parameter that you want to edit.
The Parameter Properties screen opens.
4.
Check the Allow Repeated Occurrences box.
5.
Click the Update button.
The system saves the changes, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The Is Mandatory Parameter setting specifies whether a parameter must be present in a flow.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
3.
In the Parameters List area, in the Parameter Name column, click the name of the flow parameter whose properties you want to edit.
The Parameter Properties screen opens.
4.
Check the Is Mandatory Parameter check box.
5.
When you have finished, click the Update button.
The system saves any changes you may have made, and returns you to the Parameters List screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
XML parameters contain XML data in the parameter value. To perform checks on the XML data, you associate an XML profile with the XML parameter. For details on configuring XML profiles, refer to Chapter 12, Protecting XML Applications.
2.
For the Parameter Value Type setting, select XML value.
The screen refreshes and displays additional settings.
3.
For the XML Profile setting, perform the appropriate task:
If you have not created an XML profile, click the Create button (+) next to XML Profile to create one. For details about creating XML profiles, refer to Chapter 12, Protecting XML Applications.
4.
Click the Create button.
The screen refreshes and you see the parameter in the list.
5.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
When you configure a dynamic parameter, you also configure the extraction properties for the parameter values. The extraction properties define from where to extract the dynamic parameter values or name, and which method or methods to use for the extraction. When the Application Security Manager receives a request that contains an entity (for example, a file extension or URL) containing a dynamic parameter, the system uses the extraction properties to collect the parameter value or name from web applications response to the request. Once the system has extracted the dynamic parameter values, the Security Enforcer knows what to enforce the next time a request contains the dynamic parameter.
Dynamic content value (DCV) parameters are those for which the web application sets the value on the server side. When you configure a DCV parameter in the Application Security Manager, the system verifies that the client is not changing the parameter value, as set by the server, from one request to the next. For example, in an auction application, you might configure the price parameter as a DCV parameter to keep users from tampering with the price.
DCV parameters are often associated with web applications that use sessions. Each user of these applications has unique identifiers, and those identifiers may also change. As a result, the parameters in the web application that identify the user have dynamic content values. As an example, user identity is often passed between pages as a hidden parameter, which could be exploited by malicious users.
When you configure a DCV parameter, you also configure the extraction properties for the parameter values. The extraction properties specify the manner in which the Application Security Manager discovers and populates the values for the DCV parameter.
By default, the system retains all of the values that it finds for a DCV parameter unless the number of values exceeds 950. When that is the case, the Application Security Manager replaces the first-extracted values with new values. When there are fewer than 950 values, the system does not replace the values it knows about when it extracts a new value.
2.
For the Parameter Value Type setting, select Dynamic content value.
3.
Click the Create button.
A popup screen opens asking if you want to define extractions.
4.
Click OK.
The Create New Extraction screen opens.
5.
For the Name setting, select a name for the dynamic parameter or type a name.
6.
From the Extracted Items Configuration list, accept Basic (default) or select Advanced, and then specify from where you want the system to extract the dynamic parameter values.
For more information on this setting, see Understanding the extracted items configuration.
7.
From the Extraction Methods Configuration list, select Basic or Advanced, and then specify the method or methods that you want the system to use to extract the dynamic parameter values.
For more information on this setting, see Understanding the extraction methods configuration.
8.
Click the Create button to add the extraction properties to the parameter.
9.
Click the Update button to update the parameter settings.
10.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Note: You should define the extractions for a DCV parameter before you apply the security policy that includes the parameters. If you do not, when you apply the security policy, the policy validator generates a warning that the security policy contains dynamic parameters that do not have extractions defined.
When you create an extraction for a dynamic parameter, one aspect of the extraction is configuring where, in the responses of request objects, the system searches for the dynamic parameter. You can configure the system to extract the dynamic parameter values from file types, URLs, and by using pattern matching. Alternately, you can configure the system to extract dynamic parameter values from all items. Table 10.1 describes the extracted items settings.
Use this setting when you want the system to extract dynamic parameters from files of a certain type. Note that the available file types are those that are already a part of the security policy.
Use this setting when you want the system to extract dynamic parameters that match a regular expression pattern. Note that this setting is available only when you select Advanced (above the Extracted Items Configuration area).
Use this setting when you want the system to extract dynamic parameters from all text-based URLs and file types. Note that this setting is available only when you select Advanced (from the Extracted Items Configuration list).
Another important aspect of the extraction configuration is defining how the system extracts the dynamic parameter, that is, the extraction method. Table 10.2 describes the extraction methods.
Use this setting when you want the system to extract dynamic parameter values from all parameters in all forms in the HTML response to a requested URL.
Use this setting when you want the system to extract dynamic parameter values from a specific parameter within in a form. Note that this setting is available only when you select Advanced (from the Extracted Items Configuration list).
Use this setting when you want the system to extract dynamic parameter values from within XML entities. Note that this setting is available only when you select Advanced (from the Extraction Methods Configuration list).
Use this setting when you want to specify where in the response the system is to search dynamic parameter values for extraction. Note that this setting is available only when you select Advanced (from the Extraction Methods Configuration list).
You can review all of the parameter extractions that are configured in the security policy. You can also review the parameter extractions for a specific URL on the properties screen for that URL. See Configuring URLs, for more information on URL properties.
1.
In the navigation pane, expand Application Security and click Parameters.
The Parameters List screen opens.
2.
On the menu bar, click Extractions.
The Extractions screen opens, where you can view the extractions that are in the security policy.
In some web applications, DCV parameters also have dynamic names. You can use the parameter type, Dynamic parameter name, when you want the Security Enforcer to apply the dynamic names as well as dynamic values. Note that the Dynamic parameter name parameter type is applicable only when you are configuring a flow parameter.
When you configure a dynamic parameter name, you also configure the extraction properties. The extraction properties specify the manner in which the Application Security Manager discovers the parameter names.
2.
In the Create New Parameter area, for the Parameter Value Type setting, select Dynamic parameter name.
The screen refreshes, automatically generates a unique name in the Parameter Name setting, and displays the Dynamic Parameter Properties area.
3.
In the Dynamic Parameter Properties area, for the Extract Parameter from URL setting, select the protocol to use and type the URL from which you want the system to extract the dynamic parameter.
If the parameter is located in a form, select Search Within Form, and specify the form index and parameter index.
If the parameter is located in the HTTP/S response, select Search parameters in response body (in form elements names only).
In the By Pattern box, type a regular expression that represents the parameter name pattern.
If you do not want the system to enforce whether the parameter has a value, clear the Check parameter value box.
5.
Click the Create button to add the new parameter to the configuration.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
Each security policy includes a default character set for parameter names and another for parameter values. The default character sets correspond to the language encoding that you specified for the web application. The Security Enforcer implements the character set based on the state of the character or meta character: Allowed or Disallowed.
You can change the enforcement state for the general character set, or within the context of a specific alpha-numeric user-input parameter. For alpha-numeric user-input parameters, you can also specify which characters or meta characters are enforced, as well as override the default state. For more information on configuring alpha-numeric user-input parameters, see Configuring an alpha-numeric user-input parameter.
The parameter value character set controls the default characters and meta characters that are acceptable in a parameter value.
1.
In the navigation pane, expand Application Security, point to Parameters, point to Character Sets, and then click Parameter Value.
The Parameter Value Character Set screen opens showing the default character set.
3.
Use the Filter option to display the characters or meta characters that you want to view.
Allowed: Specifies that the security policy permits this character or meta character in parameter values.
Disallowed: Specifies that the security policy does not permit this character or meta character in parameter values.
5.
Click the Save button to save any changes you may have made on this screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The parameter name character set controls the default characters and meta characters that are acceptable in a parameter name.
1.
In the navigation pane, expand Application Security, point to Parameters, point to Character Sets, and then click Parameter Name.
The Parameter Name Character Set screen opens showing the default character set for wildcard parameter names.
3.
Use the Filter option to display the characters or meta characters that you want to view.
Allowed: Specifies that the security policy permits this character or meta character in parameter values.
Disallowed: Specifies that the security policy does not permit this character or meta character in parameter values.
5.
Click the Save button to save any changes you may have made on this screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
The Application Security Manager stores incoming requests in plain text format. Some requests include sensitive data in parameters, such as an account number. If you create sensitive parameters. the system replaces the sensitive data, in the stored request and in logs, with asterisks (***).
You can create sensitive parameters as described in the procedure, following, or by checking the Sensitive Parameter box when creating or editing any parameter. All parameters defined as sensitive, regardless of how you configured them, appear in the Sensitive Parameters list.
Configuring a parameter as sensitive affects only how the Application Security Manager stores and displays information in requests. It does not affect requests sent to the web application or the client.
Note: The Application Security Manager automatically creates a sensitive parameter called password for every new security policy.
1.
In the navigation pane, expand Application Security, point to Parameters, then click Sensitive Parameters.
The Sensitive Parameters screen opens.
3.
Above the Sensitive Parameters section, click the Create button.
The New Sensitive Parameter screen opens.
4.
In the Parameter box, type the name of the user-input parameter, exactly as it occurs in the HTTP request, for which you do not want the system to store the actual value. In the following example, account is the sensitive parameter:
Tip: If a parameter of this name already exists in the security policy, click it in the parameter list, and check its Sensitive Parameter box instead of creating a new sensitive parameter.
5.
Click the Create button.
The screen closes, and you can see the newly created sensitive parameter in the Sensitive Parameters list.
6.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
In addition to creating sensitive parameters, you can also edit or delete existing sensitive parameters. To edit an existing sensitive parameter, click the name, then update the parameter settings. To delete a parameter, check the select box and click the Delete button.
If you want the security policy to differentiate between pages in the web application that are generated by requests with the same URL name but with different parameter and value pairs, and to build the appropriate flows, you must specify the exact names of the parameters that trigger the creation of the pages in the web application. These parameters are known as navigation parameters.
1.
In the navigation pane, expand Application Security, point to Parameters then click Navigation Parameters.
The Navigation Parameters screen opens.
3.
Above the Navigation Parameters area, click the Create button.
The New Navigation Parameter screen opens.
If the navigation parameter applies to only one page in the web application, select URL Path, and type the URL.
5.
In the Navigation Parameter box, type the name of the parameter passed to the web server for dynamic page-building purposes.
6.
Click the Create button.
The screen closes, and on the Navigation Parameters screen, you can see the new navigation parameter.
7.
To put the security policy changes into effect immediately, click the Apply Policy button, then click OK to confirm.
The system applies the updated security policy.
In addition to creating navigation parameters, you can also edit or delete existing navigation parameters, as required by changes in the web application. To delete an existing navigation parameter, check the box next to the parameter, and click the Delete button. To edit an existing navigation parameter, click the name then update the parameter properties.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)