Manual Chapter : Configuring data manipulation detection on a URL or view

Applies To:

Show Versions Show Versions
Manual Chapter

Configuring data manipulation detection on a URL or view

Configure data manipulation detection on a URL or view according to content type of the HTTP request:
  • If the URL or view sends or receives HTTP requests that are URL-encoded, configure parameters for the data manipulation detection to determine if parameter values were changed by malware after they left the user's web browser for the server.
  • If the URL or view sends or receives HTTP request that are not URL-encoded, enable data manipulation detection on the Ajax payload of the URL or view to determine if there is a difference between the actual value of the Ajax payload sent by the client's browser and the expected value of the Ajax payload.
  1. On the Main tab, click
    Security
    Fraud Protection Service
    Anti-Fraud Profiles
    .
    The Anti-Fraud Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The Anti-Fraud Profile Properties screen opens.
  3. In the Anti-Fraud Configuration area, click
    URL List
    .
    The URL List opens.
  4. Click the URL or view on which you want to configure the data manipulation check.
    The URL Properties (or View Properties) screen opens.
  5. In the URL Configuration (or View Configuration) area, select
    Automatic Transactions
    .
    The Automatic Transactions configuration options appear.
  6. Ensure that the
    Enabled
    check box for
    Automatic Transactions
    is selected.
  7. For
    Check AJAX Payload for Data Manipulation
    , selected the
    Enabled
    check box if you want the system to determine if data manipulation occurred on the complete payload of all AJAX requests.
    • If you enable
      Check AJAX Payload for Data Manipulation
      , the setting
      Send Payload in Alerts
      appears. Select the
      Enabled
      check box for this setting if you want the actual AJAX payload to be attached to data manipulation alerts.
  8. For
    Enhanced Data Manipulation Check
    , select the
    Enabled
    check box if you want the system to detect data manipulation in real-time (while the user is actually entering data in an input field in the web page).
  9. If the URL or view sends or receives only HTTP requests that are not URL-encoded and you did not enable
    Enhanced Data Manipulation Check
    , click
    Save
    to complete the configuration and do not perform the following steps.
    Otherwise, perform the following steps.
  10. In the URL Configuration (or View Configuration) area, select
    Parameters
    .
    The Parameters list is displayed.
  11. Click the
    Add
    button.
    The Parameter Settings screen opens.
  12. In the
    Parameter Name
    field, choose one of the following types for the parameter name:
    • Explicit
      : Assign a specific parameter name.
    • Wildcard
      : Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
    1. If you chose
      Explicit
      , type the parameter name.
    2. If you chose
      Wildcard
      , type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used as part of a parameter name and you don't want it to be treated as a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      A regular expression should not be used as part of the wildcard expression for a parameter name.
  13. If you enabled
    Check AJAX Payload for Data Manipulation
    , in the
    Name in Request
    text box, type a mapping key for the parameter that is sent from the client to the server.
    For example, if you have a single page application form with an input field
    name
    ,
    ID
    , or
    Selector
    called
    A
    and you want to send it in the
    B
    key in the payload, type
    B
    in this text box.
    If the input field
    name
    ,
    ID
    , or
    Selector
    in the HTML of your web page has the same
    name
    ,
    ID
    , or
    Selector
    as the key in the payload, you do not need to type a mapping key in this text box.
  14. In the Automatic Transactions section, select the
    Check Data Manipulation
    check box.
    This attribute cannot be enabled on a parameter that already has the
    Substitute Value
    attribute.
  15. Select the
    Send in Alerts
    check box if you want to include the value of the parameter in the information sent in alerts.
  16. Click
    Create
    .
    The parameter settings are saved.
  17. Repeat steps 11-16 for every parameter you want the system to check for data manipulation.
  18. If you enabled
    Enhanced Data Manipulation Check
    and you have certain JavaScript functions that you want to permit modifying parameter values when the user enters data in the web page, do the following:
    1. In the URL/View Properties screen, click
      Advanced
      .
      The Advanced Automatic Transactions settings appear.
    2. At
      Enhanced Data Manipulation Functions Whitelist
      , add the JavaScript functions that can modify parameter values.
  19. Click
    Save
    in the URL Properties (or View Properties) screen.
    The configuration settings for the URL or view are saved and the Anti-Fraud Profile Properties screen opens.
The BIG-IP system is now set to detect data manipulation on the URL or view, and sends an alert to the FPS Dashboard if such activity is detected.