Manual Chapter : Securing Web Applications Created with Google Web Toolkit

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0
Manual Chapter

Securing Web Applications Created with Google Web Toolkit

Overview: Securing Java web applications created with Google Web Toolkit elements

Google Web Toolkit (GWT)
is a Java framework that is used to create AJAX applications. When you add GWT enforcement to a security policy, the Security Enforcer can detect malformed GWT data, request payloads and parameter values that exceed length limits, attack signatures, and illegal meta characters in parameter values. This implementation describes how to add GWT support to an existing security policy for a Java web application created with GWT elements.

Task summary

Creating a Google Web Toolkit profile

Before you can begin this task, you need to create a security policy for the web application that you are creating using Google Web Toolkit (GWT).
A GWT profile defines what the security policy enforces and considers legal when it detects traffic that contains GWT data.
The system supports GWT in UTF-8 and UTF-16 encoding.
  1. On the Main tab, click
    Security
    Application Security
    Content Profiles
    GWT Profiles
    .
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click
    Create
    .
    The Create New GWT Profile screen opens.
  4. Type a name and optional description for the profile.
  5. For the
    Maximum Total Length of GWT Data
    setting, specify the maximum byte length for the request payload or parameter value that contains GWT data.
    The default is
    10000
    bytes.
    Any
    Specifies that there are no length restrictions.
    Length
    Specifies, in bytes, the maximum data length that is acceptable.
  6. For the
    Maximum Value Length
    setting, specify the longest acceptable value for a GWT element that occurs in a document that the security policy allows.
    The default is
    100
    bytes.
    Any
    Specifies that there are no length restrictions.
    Length
    Specifies, in bytes, the maximum acceptable length.
  7. Clear the
    Tolerate GWT Parsing Warnings
    check box if you want the system to report warnings about parsing errors in GWT content.
  8. To change the security policy settings for specific attack signatures for this GWT profile, from the
    Global Security Policy Settings
    list, select the attack signatures and then move them into the
    Overridden Security Policy Settings
    list.
    If no attack signatures are listed in the
    Global Security Policy Settings
    list, create the profile, update the attack signatures, then edit the profile.
  9. In the
    Overridden Security Policy Settings
    list, enable or disable each attack signature as needed:
    Enabled
    Enforces the attack signature for this GWT profile, although the signature might be disabled in general. The system reports the Attack Signature Detected violation when the GWT data in a request matches the attack signature.
    Disabled
    Deactivates the attack signature for this GWT profile, although the signature might be enabled in general.
  10. To allow or disallow specific meta characters in GWT data (and thus override the global meta character settings), click the Value Meta Characters tab.
    1. Select the
      Check characters
      check box, if it is not already selected.
    2. Move any meta characters that you want allow or disallow from the
      Global Security Policy Settings
      list into the
      Overridden Security Policy Settings
      list.
    3. In the
      Overridden Security Policy Settings
      list, change the meta character state to
      Allow
      or
      Disallow
      .
  11. Click
    Create
    .
    The system creates the profile and displays it in the GWT Profiles list.
The security policy does not enforce the GWT profile settings until you associate the GWT profile with any URLs that might include GWT data.

Associating a Google Web Toolkit profile with a URL

Before you can associate a Google Web Toolkit (GWT) profile with a URL, you need to create a security policy with policy elements, including application URLs and the GWT profile.
When you associate a GWT profile with a URL in a security policy, the Security Enforcer can apply specific GWT checks to the associated requests.
  1. On the Main tab, click
    Security
    Application Security
    URLs
    .
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. In the Allowed URLs List area, click the name of a URL that might contain GWT data.
    The Allowed URL Properties screen opens.
  4. From the
    Allowed URL Properties
    list, select
    Advanced
    .
  5. For the
    Header-Based Content Profiles
    setting, specify the characteristics of the traffic to which the GWT profile applies.
    1. In the
      Request Header Name
      field, type the explicit string or header name that defines when the request is treated as the
      Parsed As
      type; for example,
      Content-Type
      .
      This field is not case-sensitive.
    2. In the
      Request Header Value
      field, type a wildcard character (including *, ?, or [chars]) for the header value; for example,
      *gwt*
      .
      This field is case-sensitive.
    3. For the
      Parsed As
      setting, select
      GWT
      .
    4. For the
      Profile Name
      setting, select the GWT profile that you created from the list.
    5. Click
      Add
      .
      The system adds the header and profile information to the list.
  6. If you have multiple headers and profiles defined, you can adjust the order of processing.
  7. Click
    Update
    .
  8. To put the security policy changes into effect immediately, click
    Apply Policy
    .
When the system receives traffic that contains the specified URLs, the Security Enforcer applies the checks you established in the GWT profile, and takes action according to the corresponding blocking policy.

Implementation result

You have now added Google Web Toolkit (GWT) support to a security policy. When the Security Enforcer detects GWT traffic that matches the URLs defined in the security policy, the selected parameters are enforced as you have indicated.