How to: Configure SSRF protection¶
To configure SSRF protection, define the SSRF host and action to take and the blocking settings plus a parameter with valueType set to auto-detect.
{
"name": "test_policy",
"template": {
"name": "POLICY_TEMPLATE_COMPREHENSIVE"
},
"applicationLanguage": "utf-8",
"caseInsensitive": false,
"enforcementMode": "blocking",
"learningMode": "manual",
"signature-sets": [
{
"name": "Generic Detection Signatures (High/Medium Accuracy)",
"alarm": false,
"block": false,
"learn": false
}
],
"ssrf-hosts": [
{
"action": "disallow",
"host": "www.testserver.com"
}
],
"blocking-settings": {
"violations": [
{
"name": "VIOL_PARAMETER_DATA_TYPE",
"alarm": true,
"block": true,
"learn": true
},
{
"name": "VIOL_HOSTNAME_MISMATCH",
"alarm": true,
"block": true,
"learn": true
},
{
"name": "VIOL_ATTACK_SIGNATURE",
"alarm": true,
"block": true,
"learn": true
},
{
"alarm": true,
"block": true,
"description": "Server-side access to disallowed host",
"name": "VIOL_SERVER_SIDE_HOST"
},
{
"name": "VIOL_PARAMETER_VALUE_LENGTH",
"alarm": false,
"block": false,
"learn": false
}
]
},
"parameters": [
{
"allowEmptyValue": true,
"allowRepeatedParameterName": true,
"attackSignaturesCheck": true,
"checkMaxValueLength": false,
"isBase64": false,
"isCookie": false,
"isHeader": false,
"level": "global",
"mandatory": false,
"metacharsOnParameterValueCheck": false,
"name": "qs_param",
"parameterLocation": "any",
"performStaging": false,
"sensitiveParameter": false,
"type": "explicit",
"valueType": "auto-detect"
},
{
"dataType": "uri",
"hostNameRepresentation": "domain-name",
"attackSignaturesCheck": true,
"name": "body_param",
"parameterLocation": "any",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "domain-name",
"attackSignaturesCheck": true,
"name": "head_param",
"parameterLocation": "header",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "domain-name",
"attackSignaturesCheck": true,
"name": "cookie_param",
"parameterLocation": "cookie",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "domain-name",
"attackSignaturesCheck": true,
"name": "form-data_param",
"parameterLocation": "form-data",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "ip-address",
"attackSignaturesCheck": true,
"name": "qs_ip_param",
"parameterLocation": "any",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "ip-address",
"attackSignaturesCheck": true,
"name": "body_ip_param",
"parameterLocation": "any",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "ip-address",
"attackSignaturesCheck": true,
"name": "head_ip_param",
"parameterLocation": "header",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "ip-address",
"attackSignaturesCheck": true,
"name": "cookie_ip_param",
"parameterLocation": "cookie",
"performStaging": false,
"type": "explicit"
},
{
"dataType": "uri",
"hostNameRepresentation": "ip-address",
"attackSignaturesCheck": true,
"name": "form-data_ip_param",
"parameterLocation": "form-data",
"performStaging": false,
"type": "explicit"
}
]
}