Reference: Parameters

Parameters are an integral part of any web application, and they need to be protected so clients cannot access them, modify them, or view sensitive data. When you define parameters in a security policy, you increase the security of the web application and prevent web parameter tampering.

WAF evaluates parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. When the security policy includes known parameters, you are creating an allowlist of acceptable parameters. The system allows traffic that includes the parameters that you configure in a security policy.

Security policies can include parameters defined as global parameters or URL parameters. You can further specify parameters as being particular value types: static content, dynamic content, dynamic parameter name, user-input, JSON, or XML. You can also create parameters for which the system does not check or verify the value.

Parameter violations

Illegal parameter

The system detects that every parameter in the request is defined in the WAF policy.

Type: Input Violation

Attack Type: Abuse of Functionality

Severity: Error

Risk: Potential for illegal request payload for purposes of SQL injection and XSS. This can also put the application at risk for forceful browsing and privilege escalation.

Examples: The request include a special or secret parameter that could trigger hidden activity in the application. For example, sending the parameter mode=admin or debug=on.

Illegal parameter location

The parameter’s location in the request was found in a location different from the location specified in the WAF policy.

Type: Input Violation

Attack Type: Abuse of Functionality

Severity: Informational

Risk: Potential for forceful browsing and application error disclosure.

Illegal parameter value length

The system checks if the parameter’s length (in bytes) matches the value limits defined in the policy.

Type: Input Violation

Attack Type: Abuse of Functionality

Severity: Error

Risk: An illegal parameter length can indicate buffer overflow and DoS attacks.

Examples: A request with input parameter values that are larger than expected can lead to application vulnerability.

Disallowed file upload content detected

The request contains file upload content that is in binary executable file format.

Type: Input Violation

Attack Type: Parameter tampering

Severity: Error

Risk: An attempt to upload an executable file may be an indication of a Trojan, virus, backdoor/shell attack, or other methods to compromise a server.

Examples: An upload of malicious code to the server allows the attacker to gain remote access to the server or spread malware to application users.

Illegal empty parameter value

The request contains a parameter with a value that is empty when it must contain a value.

Type: Input Violation

Attack Type: Abuse of functionality

Severity: Error

Risk: Illegal value for a user-input parameter can prevent manipulation of the application’s logic and functionality.

Illegal repeated parameter name

Detected multiple parameters of the same name in a single HTTP request

Type: Input Violation

Attack Type: Detection evasion

Severity: Informational

Risk: Can lead to execution of arbitrary code SQLi, XSS, RFi (remote file inclusion), and other attacks.

Null in multi-part parameter value

The multi-part request had a parameter value that contains a null character.

Type: Input Violation

Attack Type: Buffer overflow

Severity: Error

Illegal dynamic parameter value

The parameter value is not equal to the value set by the server.

Type: Input Violation

Attack Type: Parameter tampering

Severity: Error

Risk: Can lead to hidden field manipulation, parameter tampering, and illegal alteration of the parameter value.

Wildcard syntax

If you are creating parameters for your policy, the syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of parameters, file types, URLs, or cookies so that the entity name can match multiple objects.

Wildcard Character Matches
* All characters
? Any single character
[abcde] Exactly one of the characters listed
[!abcde] Any character not listed
[a-e] Exactly one character in the range
[!a-e] Any character not in the range