Reference: URL Enforcement

In a security policy, you can manually specify the HTTP URLs that are allowed in traffic to the web application being protected.

For more information about managing policy URLs, see Manage URLS.

For more information about allowed URLs, see Overview: URLs.

Allowed URL settings

See Reference: Violation Protection for information about template default settings.

Illegal URL

The WAF policy verifies that the requested URL is configured as a valid URL, or not configured as an invalid URL according to the security policy.

Violation Details

Type: Access Violation

Attack Type: Forceful Browsing

Severity: Error

Risk: Illegal URLs can be forceful browsing, create predictable resource location vulnerability, and expose URLs which are either sensitive or should not be exposed.

Examples: Allowing valid URLs prevents access to web pages that are not a part of the public site, and are used as an administrative interface that holds sensitive information.

Illegal meta character in URL

The WAF policy verifies that the incoming request includes a URL that only contains meta characters defined as allowed in the security policy. This enforces a defined set of acceptable characters. The acceptable characters can be customized by the user in the WAF policy.

Violation Details

Type: Access Violation

Attack Type: Abuse of Functionality

Severity: Error

Risk: Meta characters can be used to execute attacks such as, XSS, SQL injection, and common injection.

Examples: The policy blocks the character ‘<’ which is used in XSS attacks.

Wildcard syntax

If you are adding URLs to your policy, the syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of URLs, file types, parameters, or cookies so that the entity name can match multiple objects.

Wildcard Character Matches
* All characters
? Any single character
[abcde] Exactly one of the characters listed
[!abcde] Any character not listed
[a-e] Exactly one character in the range
[!a-e] Any character not in the range