During Phase 1, policies are tuned again, and Blocking Mode is enabled for the following baseline policy elements by default:
RFC Violations
General HTTP RFC Compliance Checks
Cookie not RFC-compliant
Evasion technique detected
Directory traversals
%u decoding
IIS backslashes
IIS Unicode codepoints
Bare byte decoding
Apache whitespace
Bad unescape
HTTP protocol compliance failed
Several Content-Length headers
Chunked request with Content-Length header
Bad multipart parameters parsing
No Host header in HTTP/1.1 request
CRLF characters before request start
Host header contains IP address
Content length should be a positive number
Bad HTTP version
Check maximum number of headers
Bad host header value
Check maximum number of parameters
Mandatory HTTP header is missing
Input Violations
Illegal method
Request length exceeds defined buffer size
Failed to convert character
Illegal static parameter value
Additional Blocking Elements: Illegal URL
Illegal HTTP status in response
Modified ASM cookie
Negative Security Signatures:
• Abuse of Functionality
• Authentication/Authorisation Attacks
• Buffer Overflow
• Command Execution
• Cross Site Scripting
• Denial of Service
• Detection Evasion
• Directory Indexing
• HTTP Response Splitting
• Information Leakage
• LDAP Injection
• Non-browser Client
• Other Application Attacks
• Path Traversal
• Predicatable Resource Location
• Remote File Include
• SQL Injection
• Server Side Code Injection
• Trojan/Backdoor/Spyware
• Vulnerability Scan
• Xpath Injection
Policies are optimised, false positives are tuned out, and the above blocking elements are enabled within each policy; having analysed logs from test traffic.
During this process, if any blocking elements are identified which present undue risk to application service, a risk assessment is made with respect to known vulnerabilities, and some elements may be excluded from blocking during this phase. Any design decisions involving risk to security or application service are discussed with the customer.
Comments