Reference: Parameters¶
Parameters are an integral part of any web application, and they need to be protected so clients cannot access them, modify them, or view sensitive data. When you define parameters in a security policy, you increase the security of the web application and prevent web parameter tampering.
WAF evaluates parameters, meta characters, query string lengths, and POST
data lengths as part of a positive security logic check. When the security policy includes known parameters, you are creating an allowlist of acceptable parameters. The system allows traffic that includes the parameters that you configure in a security policy.
Security policies can include parameters defined as global parameters or URL parameters. You can further specify parameters as being particular value types: static content, dynamic content, dynamic parameter name, user-input, JSON, or XML. You can also create parameters for which the system does not check or verify the value.
Parameter violations¶
Illegal parameter¶
The system detects that every parameter in the request is defined in the WAF policy.
Type: Input Violation
Attack Type: Abuse of Functionality
Severity: Error
Risk: Potential for illegal request payload for purposes of SQL injection and XSS. This can also put the application at risk for forceful browsing and privilege escalation.
Examples: The request include a special or secret parameter that could trigger hidden activity in the application. For example, sending the parameter mode=admin
or debug=on
.
Illegal parameter location¶
The parameter’s location in the request was found in a location different from the location specified in the WAF policy.
Type: Input Violation
Attack Type: Abuse of Functionality
Severity: Informational
Risk: Potential for forceful browsing and application error disclosure.
Illegal parameter value length¶
The system checks if the parameter’s length (in bytes) matches the value limits defined in the policy.
Type: Input Violation
Attack Type: Abuse of Functionality
Severity: Error
Risk: An illegal parameter length can indicate buffer overflow and DoS attacks.
Examples: A request with input parameter values that are larger than expected can lead to application vulnerability.
Disallowed file upload content detected¶
The request contains file upload content that is in binary executable file format.
Type: Input Violation
Attack Type: Parameter tampering
Severity: Error
Risk: An attempt to upload an executable file may be an indication of a Trojan, virus, backdoor/shell attack, or other methods to compromise a server.
Examples: An upload of malicious code to the server allows the attacker to gain remote access to the server or spread malware to application users.
Illegal empty parameter value¶
The request contains a parameter with a value that is empty when it must contain a value.
Type: Input Violation
Attack Type: Abuse of functionality
Severity: Error
Risk: Illegal value for a user-input parameter can prevent manipulation of the application’s logic and functionality.
Illegal repeated parameter name¶
Detected multiple parameters of the same name in a single HTTP request
Type: Input Violation
Attack Type: Detection evasion
Severity: Informational
Risk: Can lead to execution of arbitrary code SQLi, XSS, RFi (remote file inclusion), and other attacks.
Null in multi-part parameter value¶
The multi-part request had a parameter value that contains a null character.
Type: Input Violation
Attack Type: Buffer overflow
Severity: Error
Illegal dynamic parameter value¶
The parameter value is not equal to the value set by the server.
Type: Input Violation
Attack Type: Parameter tampering
Severity: Error
Risk: Can lead to hidden field manipulation, parameter tampering, and illegal alteration of the parameter value.
Wildcard syntax¶
If you are creating parameters for your policy, the syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of parameters, file types, URLs, or cookies so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |