Last updated on: 2023-03-19 09:20:47.

Evasion Techniques Sub-Violations Description

Sub Violation Name Description
Trailing slash The system checks that the URL does not end with a slash. The trailing slash is removed as part of URL normalization only if this sub-violation is enabled or learned.
Trailing dot The system checks that there is no trailing dot in the URL. The trailing dot is removed as part of URL normalization only if this sub-violation is enabled or learned.
Semicolon path parameters The system checks that there is no unencoded ‘;’ (semicolon) in the URL.
Bad unescape The system detects illegal HEX encoding. Reports unescaping errors (such as %RR).
Apache whitespace The system detects the following characters in the URI: 9 (0x09), 11 (0x0B), 12 (0x0C), and 13 (0x0D).
Bare byte decoding The system detects higher ASCII bytes (greater than 127).
IIS Unicode codepoints Handles the mapping of IIS specific non-ASCII codepoints. Indicates that, when a character is greater than ‘0x00FF’, the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input.
IIS backslashes Normalizes backslashes (\) to slashes (/) for further processing.
%u decoding Performs Microsoft %u unicode decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input to evaluate if the request contains an attack.
Multiple decoding The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion.
Directory traversals Ensures that directory traversal commands like ../ are not part of the URL. While requests generated by a browser should not contain directory traversal instructions, sometimes requests generated by JavaScript have them.
Multiple slashes The system checks that there is no more than one slash between URL segments.