Manual Chapter :
Adding Entities to a Security Policy
Applies To:
Show VersionsBIG-IP ASM
- 17.0.0
Adding Entities to a Security Policy
Adding File Types to a Security Policy
About adding file
types
In a security policy, you can manually specify the file types that are
allowed (or disallowed) in traffic to the web application being protected. This is only if you
are not using the recommended automatic policy building. When you are using automatic policy
building, Application Security Manager™ determines which
file types to add, based on legitimate traffic.
When you create a security policy, a wildcard file type of *, representing
all file types, is added to the file type list. If
Learn New File Types
is set to Compact
, Always
or
Selective
then, during the enforcement
readiness period, the system examines the file types in the traffic and makes learning
suggestions that you can review and add the file types to the policy as needed. This way, the
security policy includes the file types that are typically used. If Learn New File Types
is set to Always
, when you think all the file types are
included in the security policy, you can remove the * wildcard from the allowed file types list.
. If Learn New File Types
is set to
Compact
, Selective
or Never
, the * wildcard is designed to stay in the
policy and represent all file types that are not listed in Allowed File Types
.Adding allowed file
types
You can manually add allowed file types, which are
file types that the security policy accepts in traffic to the web application being
protected.
- On the Main tab, click.The Allowed File Types screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Add Allowed File Type screen opens.
- ForFile Type, choose a type:OptionDescriptionExplicitSpecifies a unique file type, such as JPG or HTML. Type the file type (from 1 to 255 characters) in the adjacent box.No ExtensionSpecifies that the web application has a URL with no file type. The system automatically assigns this file type the nameno_ext. The slash character (/) is an example of ano_extfile type.WildcardSpecifies that the file type is a wildcard expression. Any file type that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such ashtm*. Type a wildcard expression in the adjacent box.
- For the length settings, adjust the values as needed. This is optional.OptionSpecifiesURL LengthThe maximum acceptable length, in bytes, for a URL in the context of an HTTP request containing this file type. The default is100bytes.Request LengthThe maximum acceptable length, in bytes, for the whole HTTP request that applies to this file type. The default is5000bytes.Query String LengthThe maximum acceptable length, in bytes, for the query string portion of a URL that contains the file type. The default is1000bytes.POST Data LengthThe maximum acceptable length, in bytes, for the POST data of an HTTP request that contains the file type. The default is1000bytes
- By default, thePerform Stagingcheck box is selected. We recommend that you keep it selected.
- If you want the system to validate responses for this file type, select theApply Response Signaturescheck box.Selecting this option enables attack signatures (that are designed to inspect server responses) to filter responses.
- ClickCreate.The Allowed File Types screen opens and lists the new file type.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy allows the file type that you added. If the file type is in
staging, the system informs you when learning suggestions are available or when it is
ready to be enforced.
Wildcard syntax
The syntax for wildcard entities is based on shell-style wildcard characters. This
table lists the wildcard characters that you can use in the names of file types, URLs,
parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character |
Matches |
---|---|
* |
All characters |
? |
Any single character |
[abcde] |
Exactly one of the characters listed |
[!abcde] |
Any character not listed |
[a-e] |
Exactly one character in the range |
[!a-e] |
Any character not in the range |
Adding disallowed
file types
For some web applications, you may want to deny
requests for certain file types. In this case, you can create a set of disallowed file
types. Adding disallowed file types is useful for file types that you know should never
appear on your site (such as
.exe
files), or for files on your site that you never want users from the
outside to reach (such as .bak
files).Note that in the Learning and Blocking Settings, when
Learn New File Types
is set to Compact
or
Always
, the system
automatically adds the following disallowed file types:- Server side technologies or source code: php, aspx, ashx, jsp, lua, cgi, do, java, py, pl
- Certificate files: pem, crt, cer, key, der, p7b, p7c, pfx, p12
- Backup files: bak, bkp, bck, old, tmp, temp, sav, save
- Configuration files: ini, conf, reg, cfg, config,
- Data files: dat, eml, log, exe1, hta, htr, htw, ida, idc, idq, nws, pol, printer, shtm, shtml, stm, wmz
- Executable files: exe, msi, bin, cmd, com, bat, dll, sys
- On the Main tab, click.The Disallowed File Types screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Disallowed File Type screen opens.
- In theFile Type (Explicit only)field, type the file type that the security policy does not allow (for example,jpgorexe).File types are case-sensitive unless you clearedSecurity Policy is case sensitivewhen you created the policy.
- ClickCreate.The Disallowed File Types screen opens and lists the new file type.
- To put the security policy changes into effect immediately, clickApply Policy.
The system categorizes both disallowed file types, and requested file types not
configured in the security policy as illegal file types. When the Application Security
Manager receives a request with a disallowed file type, the system ignores, learns,
logs, or blocks the request depending on the settings you configure for the
Illegal File Type
violation on the Learning
and Blocking Settings screen. Adding potential
disallowed file types
Potential disallowed file types
are candidates for
addition to the Disallowed File Types list in a security policy. These file types might
occur in malicious requests such as information leakage, remote code execution, and
other attacks. Potential disallowed file types are applied globally to all traffic while
disallowed files types are configured per security policy. You must accept each
potential disallowed file type suggestion manually while the system automatically
enforces all Disallowed File Types suggestions automatically.- On the Main tab, click.
- ClickCreate.The New Potential Disallowed File Type properties screen opens.
- In theFile Type (Explicit only)field, type the potentially malicious file type to add.
- ClickCreate.The Potential Disallowed File Types screen opens and lists the new file type asYesin the User-defined column.
The system automatically checks all traffic for all policies against this list. If a
potential disallowed file type is not observed in traffic, the Policy Builder generates
a suggestion to tighten the policy by adding the potential disallowed file type to the
Disallowed File Types list. If a disallowed file type is later observed in traffic, the
Policy Builder generates a suggestion to remove the disallowed file type from the
policy.
You must manually accept all suggestions to remove a file type from the Disallowed
File Types list. Policy Builder does not automatically implement the suggestion.
Adding Parameters to a Security Policy
About adding parameters to a security policy
Parameters are an integral part of any web application, and they need to be protected so
clients cannot access them, modify them, or view sensitive data. When you define parameters in a
security policy, you increase the security of the web application and prevent web parameter
tampering.
Application Security Manager™ evaluates parameters, meta characters, query
string lengths, and POST data lengths as part of a positive security logic check. When the
security policy includes known parameters, you are creating a whitelist of acceptable parameters.
The system allows traffic that includes the parameters that you configure in a security
policy.
Security policies can include parameters defined as global parameters, URL parameters, and flow
parameters. You can further specify parameters as being particular value types: static content,
dynamic content, dynamic parameter name, user-input, JSON, or XML. You can also create parameters
for which the system does not check or verify the value.
Creating global parameters
Global parameters
are parameters that are not associated with specific
URLs or application flows. The advantage of using global parameters is that you can
configure a global parameter once, and the system enforces the parameter wherever it
occurs. You create a global parameter to address these conditions:- The web application has a parameter that appears in several URLs or flows.
- You want the Application Security Manager to enforce the same parameter attributes on all parameters.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Add Parameter screen opens.
- In the Create New Parameter area, for theParameter Namesetting, specify the type of parameter you want to create.
- To create a named parameter, selectExplicit, then type the name.
- To use pattern matching, selectWildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
- To create an unnamed parameter, selectNo Name. The system creates a parameter with the label,UNNAMED.
- For theParameter Levelsetting, selectGlobal.The parameter can occur anywhere and is not associated with a specific URL or flow.
- Leave thePerform Stagingcheck box selected if you want the system to evaluate traffic before enforcing this parameter.Staging helps reduce the occurrence of false positives.
- Specify whether the parameter requires a value:
- If the parameter is acceptable without a value, leave theAllow Empty Valuesetting enabled.
- If the parameter must always include a value, clear theAllow Empty Valuecheck box.
- To allow users to send a request that contains multiple parameters with the same name, select theAllow Repeated Occurrencescheck box.Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
- If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable theMask Value in Logssetting.
- For theParameter Value Typesetting, select the format of the parameter value.Depending on the value type you select, the screen refreshes to display additional configuration options.
- ClickCreateto add the new parameter to the security policy.
- To put the security policy changes into effect immediately, clickApply Policy.
When you first create a global parameter, the system places the parameter in staging
by default and does not block requests even if a violation occurs and the system is
configured to block the violation. The system makes learning suggestions that you can
accept or clear.
Creating URL parameters
URL parameters
are parameters that are defined in the context of a
URL. You can use a URL parameter when it does not matter where users were before they
accessed this URL, or whether the parameter was in a GET or POST request. You can create
a parameter that goes with a URL that already exists in the security policy. - On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Add Parameter screen opens.
- In the Create New Parameter area, for theParameter Namesetting, specify the type of parameter you want to create.
- To create a named parameter, selectExplicit, then type the name.
- To use pattern matching, selectWildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
- To create an unnamed parameter, selectNo Name. The system creates a parameter with the label,UNNAMED.
- For theParameter Levelsetting, selectURL, then for theURL Pathsetting, select a protocol from the list, and then type the URL in this format:/url_name.ext.When you begin to type the URL, the system lists all URLs that include the character you typed, and you can select the URL from the list.
- Leave thePerform Stagingcheck box selected if you want the system to evaluate traffic before enforcing this parameter.Staging helps reduce the occurrence of false positives.
- Specify whether the parameter requires a value:
- If the parameter is acceptable without a value, leave theAllow Empty Valuesetting enabled.
- If the parameter must always include a value, clear theAllow Empty Valuecheck box.
- To allow users to send a request that contains multiple parameters with the same name, select theAllow Repeated Occurrencescheck box.Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
- If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable theMask Value in Logssetting.
- For theParameter Value Typesetting, select the format of the parameter value.Depending on the value type you select, the screen refreshes to display additional configuration options.
- ClickCreateto add the new parameter to the security policy.
- To put the security policy changes into effect immediately, clickApply Policy.
When you define a URL parameter, the system applies the security policy to the
parameter attributes in the context of the associated URL, and ignores the flow
information. When you first create a URL parameter, the system places the parameter in
staging by default and does not block requests even if a violation occurs and the system
is configured to block the violation. The system makes learning suggestions that you can
accept or clear.
Creating flow parameters
Before you can create a flow parameter, you need to first have created the flow to
which the parameter applies. If the source URL is a referrer URL, that HTTP URL must
already be defined in the security policy as well.
You define parameters in the context of a flow when it is important to enforce that
the target HTTP URL receives a parameter only from a specific referrer URL. Flow
parameters provide very tight, flow-specific security for web applications. With this
increased protection comes an increase in maintenance and configuration time. Note that
if your application uses dynamic parameters, you need to manually add those to the
security policy.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Add Parameter screen opens.
- In the Create New Parameter area, for theParameter Namesetting, specify the type of parameter you want to create.
- To create a named parameter, selectExplicit, then type the name.
- To use pattern matching, selectWildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
- To create an unnamed parameter, selectNo Name. The system creates a parameter with the label,UNNAMED.
- In theParameter Levelsetting, selectFlow, and then forFrom URLdefine where the flow must come from:
- If the source URL is an entry point, clickEntry Point.
- If the source URL is a referrer URL (already defined in the policy), clickURL Path, select the protocol used for the URL, then type the referrer URL associated with the flow.
When you begin to type the URL, the system lists all referrer URLs that include the character you typed, and you can select the URL from the list. - In theParameter Levelsetting, forMethod, select the HTTP method (GETorPOST) that applies to the target referrer URL (already defined in the policy).
- In theParameter Levelsetting, forTo URL, select the protocol used for the URL, then type the target URL.
- Leave thePerform Stagingcheck box selected if you want the system to evaluate traffic before enforcing this parameter.Staging helps reduce the occurrence of false positives.
- If the parameter is required in the context of the flow, select theIs Mandatory Parametercheck box.Note that only flows can have mandatory parameters.
- Specify whether the parameter requires a value:
- If the parameter is acceptable without a value, leave theAllow Empty Valuesetting enabled.
- If the parameter must always include a value, clear theAllow Empty Valuecheck box.
- To allow users to send a request that contains multiple parameters with the same name, select theAllow Repeated Occurrencescheck box.Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
- If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable theMask Value in Logssetting.
- For theParameter Value Typesetting, select the format of the parameter value.Depending on the value type you select, the screen refreshes to display additional configuration options.
- ClickCreateto add the new parameter to the security policy.
- To put the security policy changes into effect immediately, clickApply Policy.
When you create a parameter that is associated with a flow, the system verifies the
parameter in the context of the flow. For example, if you define a parameter in the
context of a GET request, and a client sends a POST request that contains the parameter,
the system generates an
Illegal Parameter
violation.Creating sensitive parameters
The Application Security Manager stores incoming requests in
plain text format. Some requests include sensitive data in parameters, such as an
account number, that you want to hide from system users. You can create sensitive
parameters as described in the procedure, following, or by enabling the
Sensitive Parameter
setting when creating or editing any
parameter. All parameters defined as sensitive, regardless of how you configured them,
appear in the Sensitive Parameters list. - On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Sensitive Parameter screen opens.
- In theParameter Namefield, type the name of the user-input parameter, exactly as it occurs in the HTTP request, for which you do not want the system to store the actual value.In this example,accountis the sensitive parameter:http://www.siterequest.com/bank.php?account=12345If a parameter of this name already exists in the security policy, click it in the parameter list, and enable theSensitive Parametersetting instead of creating a new sensitive parameter.
- ClickCreateto add the new parameter to the security policy.
- To put the security policy changes into effect immediately, clickApply Policy.
When you create sensitive parameters, the system replaces the sensitive data, in
the stored request and in logs, with asterisks (***).
Disallowing file uploads in parameters
Because most web applications do not legitimately allow users to upload executable code,
you can disallow parameters containing binary executable content. To do this, you add a
user-input parameter with the file upload data type to a security policy, and use the
option to prevent uploading of executable files. You can also specify a maximum length
for the parameter.
- On the Main tab, click.
- ClickCreate.The Add Parameter screen opens.
- Type the name for the new explicit parameter.
- For theParameter Levelsetting, select where in a request the parameter is located.GlobalThe parameter can occur anywhere and is not associated with a specific URL or flow.URLThe parameter occurs in the specific URL that you provide.FlowThe parameter occurs in the specific entry point URL or referrer URL that you provide.
- Leave thePerform Stagingcheck box selected if you want the system to evaluate traffic before enforcing this parameter.Staging helps reduce the occurrence of false positives.
- Specify whether the parameter requires a value:
- If the parameter is acceptable without a value, leave theAllow Empty Valuesetting enabled.
- If the parameter must always include a value, clear theAllow Empty Valuecheck box.
- To allow users to send a request that contains multiple parameters with the same name, select theAllow Repeated Occurrencescheck box.Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
- For theParameter Value Typesetting, selectUser-input value.
- On the Data Type tab, for theData Typesetting, selectFile Upload.
- To enforce limits on the size of the parameter, in theMaximum Lengthsetting, selectValueand type the maximum number of bytes for a parameter value.
- Ensure thatDisallow File Upload of Executablesis selected.
- ClickCreate.The screen refreshes, and the new parameter appears in the parameters list.
- To put the security policy changes into effect immediately, clickApply Policy.
If a client sends an HTTP request that includes a user-input parameter containing a
binary executable file, the system issues the
Disallowed file upload content
detected
violation. This is considered parameter tampering
. If
the violation is set to block (it is, by default) and the enforcement mode is set to
blocking, the request is blocked. If a parameter in a request exceeds the maximum
length specified, the system presents an
Illegal parameter value length
violation
. By default it is set to alarm; that means if a request
triggers this violation, the system records the request in the Charts screen, the
Syslog (/var/log/asm
), and may record the request in the local
log (the Requests screen) and/or in a remote log, according to the logging profile.
Creating navigation parameters
If you want the security policy to differentiate between pages in the web
application that are generated by requests with the same URL name but with different
parameter and value pairs, and to build the appropriate flows, you must specify the
exact names of the parameters that trigger the creation of the pages in the web
application. These parameters are called
navigation parameters
. A
navigation parameter cannot be a wildcard. - On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Navigation Parameter screen opens.
- In theNavigation Parameterfield, type the name of the parameter passed to the web server for dynamic page-building purposes.
- ClickCreateto add the new parameter to the security policy.
- To put the security policy changes into effect immediately, clickApply Policy.
Creating parameters with dynamic content
Dynamic content value (DCV) parameters
are parameters where the web
application sets the value on the server side (so, for example, the content can change
depending on who the user is). When you create a DCV parameter, you also specify where
and how to get the dynamic information. For example, in an auction application, you can
configure the price parameter as a DCV parameter to keep users from tampering with the
price. You can also use DCV parameters for user identities in web applications that
use sessions. As an example, user identity is often passed between pages as a hidden
parameter, which could be exploited by malicious users, unless protected.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Add Parameter screen opens.
- In the Create New Parameter area, for theParameter Namesetting, specify the type of parameter you want to create.
- To create a named parameter, selectExplicit, then type the name.
- To use pattern matching, selectWildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
- To create an unnamed parameter, selectNo Name. The system creates a parameter with the label,UNNAMED.
- For theParameter Levelsetting, select the appropriate type, typicallyGlobalorURL.
- For theParameter Value Typesetting, selectDynamic content value.
- ClickCreate.You should define the extractions for a DCV parameter before you apply the security policy that includes the parameters. Otherwise, the system warns you that the security policy contains dynamic parameters with no extractions defined.A popup screen opens asking if you want to define extractions.
- ClickOK.The Create New Extraction screen opens. TheNamefield shows the name of the parameter you created.
- From theExtracted Items Configurationlist, selectAdvanced.
- Use theExtract Fromsetting to specify which items the system searches for dynamic parameter values.Use This OptionWhenFile TypesYou want the system to extract dynamic parameters from responses to requests for certain file types that exist in the security policy. Select the file type and clickAdd.URLsYou want the system to extract dynamic parameters from responses to requests for the listed URLs. To add the URLs, select the protocol, type the URL and clickAdd. If the URL is not in the security policy, it is added.RegExpYou want the system to extract dynamic parameters from responses to requests that match a regular expression pattern.Extract From All ItemsYou want the system to extract dynamic parameters from all text-based URLs and file types.
- From theExtracted Methods Configurationlist, selectAdvanced.
- Select the appropriate check boxes to specify how to get the dynamic parameter values.Select This OptionWhenSearch in LinksYou want the system to extract dynamic parameter values from links (href tags) within the server response to a URL.Search Entire FormYou want the system to extract dynamic parameter values from all parameters in a form in the HTML response to a requested URL.Search Within FormYou want the system to extract dynamic parameter values from a specific parameter within in a form. Also specify theForm Indexand theParameter Index.Search in XMLYou want the system to extract dynamic parameter values from within XML entities. Type the XPath specification in theXPathfield.Search in Response BodyYou want to the system to search for dynamic parameter values in the body of the response. You can also specify how many incidents the system should find, a prefix, a RegExp value, or a prefix to search for.
- ClickCreateto add the extraction properties to the parameter.
- ClickUpdateto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
When the Application Security Manager receives a request that contains an entity
(for example, a file extension or URL) with a dynamic content value parameter, the
system extracts the parameter value from the web application response and stores it
away. The next time the system receives a request containing that parameter, it uses the
stored value to validate the dynamic content value parameter. The system verifies that
the client is not changing the parameter value that the server sets from one request to
the next, or using the values from a different user.
By default, the system saves up
to 950 values that it finds for a dynamic content value parameter. If the number of
values exceeds 950, the system replaces the first-extracted values with the new
values.
Creating parameters with dynamic names
Before you can make a parameter with a dynamic name, you must have created a flow
parameter.
In some web applications, flow parameters have dynamic names. When you create a
parameter with a dynamic name, you also specify the manner in which Application Security Manager discovers the parameter names.
- On the Main tab, click.
- In the Parameters List, click the name of the flow parameter that you want to have a dynamic name.The Parameter Properties screen opens where you can edit the flow parameter.
- For theParameter Value Typesetting, selectDynamic parameter name.
- On the Dynamic Parameter Properties tab, for theExtract Parameter from URLsetting, select the protocol to use and type the URL from which you want the system to extract the dynamic parameter.
- Specify whether the system searches for the parameter name in a form or the response body:
- To search in forms, selectSearch Within Form, and specify values forForm IndexandParameter Index.
- To search in the response body, selectSearch parameters in response body (in form elements names only). In theBy Patternfield, type a regular expression to search for parameter names in input elements in the forms. SelectCheck parameter valueto verify the parameter value in addition to the name matched in theBy Patternfield.
- ClickUpdateto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
The system extracts the parameters from the web server responses and then uses the
extracted parameters to enforce the dynamic parameter associated with the flow.
Changing character
sets for parameter values
The character sets for parameter values are the
characters and meta characters that the security policy accepts in a parameter value.
You can view and modify the character set that is allowed in a parameter
value.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Use theViewoption to filter the character set.
- For each character or meta character, change the state, as required.StateDescriptionAllowThe security policy permits this character or meta character in parameter values.DisallowThe security policy does not permit this character or meta character in parameter values.
- ClickSaveto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
If a request includes a parameter with a disallowed character, the system generates an
Illegal parameter
violation (if that
violation is set to Alarm or Block). Changing character
sets for parameter names
The character sets for parameter names are the
characters and meta characters that the security policy accepts in a parameter name. You
can view and modify the character set that is allowed in a parameter name.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Use theViewoption to filter the character set.
- For each character or meta character, change the state, as required.StateDescriptionAllowThe security policy permits this character or meta character in parameter names.DisallowThe security policy does not permit this character or meta character in parameter names.
- ClickSaveto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
If a request includes a parameter name with a disallowed character, the system
generates an
Illegal parameter
violation (if that violation is set to Alarm or Block). Adjusting the
parameter level
You can adjust how the system determines what parameters it adds
(automatic policy building) or suggests you add (manual learning) to the security
policy. In most cases, you do not need to change the default values of these
settings.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ExpandParametersand for theParameter Levelsetting, select the level of parameter to add.GlobalAdd parameters at the global level for all URLs in the security policy. Make learning suggestions based on the properties of entities that already exist in the security policy. Default value forFundamentalpolicy template.URLAdd parameters at the URL level, only for specific URLs. Make learning suggestions based on real traffic. Default value forComprehensivepolicy template.This option applies only to the attack signature and illegal meta character violations.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy now adds parameters according to the level you
specified.
Parameter Value Types
When you add a parameter to the security policy, you specify its parameter value type.
The parameter value type indicates the format of the parameter. You can configure global, URL,
and flow parameters as any value type, except the dynamic parameter name type. You can configure
only flow parameters as dynamic parameter names.
Parameter Value Type |
Description |
---|---|
Dynamic content value |
Dynamic parameters are parameters whose values can change, and are
often linked to a user session. When you create a new parameter of this type, you must
also define dynamic parameter extraction properties. The server sets the value for
dynamic content value (DCV) parameters. DCV parameters are often associated with
applications that use session IDs for client sessions. |
Dynamic parameter name |
If using flow parameters with names that change dynamically, you can use this
parameter type. If you select this type, you also need to specify the URL from which
the system can extract dynamic parameter name parameters. |
Ignore value |
If you do not want the system to perform validity checks on the parameter value,
select this value type. Regarding signatures, this value type prevents the system from
performing parameter-based signature checks on the parameter value, but it does
perform other relevant signature checks. |
JSON value |
The JSON value type is for parameters that contain JSON data that is validated
according to a JSON profile that defines the format of the data. Select an existing
JSON profile or create a new one. |
Static content value |
Static parameters are those that have a known set of values. A list of country
names or a yes/no form field are both examples of static parameters. If you select
this type, you also need to specify the static values for the parameter in the
Parameter Static Values list. For example, a credit card payment parameter in a
shopping application may be static and have the static values MasterCard, Visa, and American
Express. |
User-input value |
User-input parameters are those that require users to enter or provide some sort
of data. This is the most commonly used parameter value type. Comment, name, and phone
number fields on an online form are all examples of user-input parameters. You can
also configure user-input parameters even if the parameter is not really user input.
For example, if a parameter has a wide range of values or many static values, you may
want to configure the parameter as a user-input parameter instead of as a static
content parameter. By default, the system looks for attack patterns within all
alpha-numeric user-input parameters. For each parameter, you can enable or disable a
specific attack signature. |
XML value |
XML parameters are those whose parameter value contains XML data that is
validated according to an XML profile that defines the format of the data. Select an
existing XML profile or create a new one. |
How the system processes parameters
When you create any type of parameter, the system automatically places the parameter in staging
and does not block requests even if a violation occurs and the system is configured to block that
violation. Based on examining traffic, the system makes learning suggestions that you can accept
or clear. If you create wildcard parameters, you also have the option of enabling learning for
explicit entities.
The system enforces parameters in the following order:
- Flow parameters
- URL parameters
- Global parameters
param_1
is defined as a
static content global parameter, and also defined as a user-input URL parameter. When the Application Security Manager™ receives a request for the parameter in a URL that
matches a URL defined in the security policy, and the parameter is defined on both the global and
URL level, the system generates any violations based on the URL parameter definition.About path parameters
Path parameters are parameters that are attached to path segments in the URI. You can configure
Application Security Manager™ (ASM) to enforce path parameters as needed in
your organization. Path parameters can be ignored, or treated as parameters, or as an integral
part of URLs.
Although path parameters are not widely used, they could serve as covert back doors to
potential attacks even for server applications that do not use path parameters. For example, an
application could copy a URI with path parameters containing attack signatures to the body of the
response.
Path parameters can have multiple parameters in the same path segment separated by semicolons.
A semicolon also separates the path segment from the parameters; for example,
/path/name;param1;p2;p3
. Each parameter can optionally equal a value; for
example, param=value;p2
. If a path parameter has more than one value, the values
are separated by commas, such as param=val1,val2,val3
.Path parameters are extracted from requests, but not from responses.
Enforcing path parameter security
A URI path parameter is the part of a path segment that occurs after its name. You
can configure how a security policy handles path parameters that are attached to path
segments in URIs. You can enforce different levels of security based on your
needs.
- On the Main tab, click.The Policies List screen opens.
- Click the name of the security policy you want to work on.The Policy Summary opens.
- From the list, selectAdvanced.
- Scroll down toHandle Path Parameters, and select how you want to treat path parameters in URIs.OptionDescriptionAs ParameterThe system normalizes and enforces path parameters. For each path parameter, the system removes it from the URL as part of the normalization process, finds a corresponding parameter in the security policy (first at the matching URL level, and if not found, then at the Global level), and enforces it according to its attributes like any other parameter.As URLThe system does not normalize or enforce path parameters, and treats them as an integral part of the URL.IgnoreThe system removes path parameters from URLs as part of the normalization process, but does not enforce them.
- ClickSave.
- In the editing context area, clickApply Policyto put the changes into effect.
Path parameters in URIs are handled as specified in the security policy
properties.
The maximum number of path parameters collected in one
URI path is 10. All the rest of the parameters (from the eleventh on, counting from
left to right) are ignored as parameters, but are still stripped from the URI as
part of the normalization process.
Overview: Securing Base64-Encoded Parameters
Base64 encoding
is a convenient encoding method that uses a compact presentation,
and is relatively unreadable to the casual observer. Many applications apply base64 encoding to
binary data, for inclusion in URLs or in hidden web form fields. Unfortunately, it is also
possible to mask application attacks in base64-encoded data. To provide better security for
applications that use base64 encoding, Application Security Manager™ can
decode user-input parameter values that are base64-encoded.Adding base64
decoding to a new user-input parameter
If your application uses base64 encoding, the
system can apply base64 decoding to a user-input parameter. When the decoding is
successful, the system applies the parameter checks specified in the security policy.
When the decoding is not successful, the system issues the
Illegal base64 encoded value
violation and
responds to the offending request according the associated blocking policy. - On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Add Parameter screen opens.
- Type the name for the new explicit parameter.
- For theParameter Levelsetting, select where in a request the parameter is located.GlobalThe parameter can occur anywhere and is not associated with a specific URL or flow.URLThe parameter occurs in the specific URL that you provide.FlowThe parameter occurs in the specific entry point URL or referrer URL that you provide.
- Leave thePerform Stagingcheck box selected if you want the system to evaluate traffic before enforcing this parameter.Staging helps reduce the occurrence of false positives.
- For theParameter Value Typesetting, selectUser-input value.
- On the Data Type tab, for theData Typesetting, select eitherAlpha-NumericorFile Upload.
- Select theBase64 Decodingcheck box if you want the system to apply base64 decoding to values for this parameter.
- Configure any other properties that apply to this new parameter.
- ClickCreate.The screen refreshes, and the new parameter appears in the parameters list.
- To put the security policy changes into effect immediately, clickApply Policy.
Adding base64 decoding to an existing user-input parameter
When enabled, the system can decode base64 encoding in a user-input parameter. If
the decoding is successful, the system applies the parameter checks specified in the
security policy. If the decoding is not successful, the system issues the
Illegal
base64 encoded value
violation and responds to the offending request
according to the associated blocking policy. - On the Main tab, click.
- In the Parameters List filter, selectParameter Value Typein the left list,User-input valuein right list, and clickGo.The screen refreshes and lists only user-input parameters.
- In the Parameter Name column, click the name of the parameter to which you want to add base64 decoding.The Parameter Properties screen opens.
- On the Data Type tab, select theBase64 Decodingcheck box so the system applies base64 decoding to values for this parameter.The base64 decoding setting is available only for user-input parameters of the alpha-numeric or file upload data type.
- ClickUpdate.The screen refreshes, and displays the parameters list.
- To put the security policy changes into effect immediately, clickApply Policy.
Adding URLs to a Security Policy
About adding URLs
In a security policy, you can manually specify the HTTP or WebSocket URLs that are allowed (or
disallowed) in traffic to the web application being protected. If you are using automatic policy
building (and the policy includes learning URLs), Application Security
Manager™ (ASM) can determine which URLs to add, based on legitimate traffic. If a WebSocket
profile is associated with the security policy virtual server, ASM can also add WebSocket URLs to
the policy.
When you create a security policy, wildcard URLs of * (representing all HTTP or WebSocket URLs)
are added to the Allowed HTTP and WebSocket URLs lists. During the enforcement readiness period,
the system examines the URLs in the traffic and makes learning suggestions that you can review
and add the URLs to the policy as needed. This way, the security policy includes the HTTP and
WebSocket URLs that are typically used. When you think all the URLs are included in the security
policy, you can remove the * wildcards from the allowed URLs lists.
About referrer URLs
Referrer URLs
are web pages that request other URLs within a web application. For
example, an HTML page can request a GIF, JPG, or PNG image file. The HTML page is the referrer,
and the GIF, JPG, and PNG files are non-referrers. In lists of URLs, non-referrer URLs appear in
blue and referrer URLs appear in gold.A referrer in Application Security Manager™ is similar to the HTTP Referer
header. Use referrers for complex objects, such as HTML pages, but not for embedded objects, such
as GIF files.
Adding allowed HTTP
URLs
You can manually add
allowed HTTP URLs
, which are URLs from which the security policy accepts
traffic en route to the web application being protected.- On the Main tab, click.The Allowed HTTP URLs screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Allowed HTTP URL screen opens.
- ForURL, choose a type, protocol and method (optional), and then type the URL name or wildcard.OptionDescriptionExplicitSpecifies a unique URL, such as/index.html. ChooseHTTPorHTTPS, and type the URL in the adjacent field.WildcardSpecifies that the URL is a wildcard expression. Any URL that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as/main/*. SelectHTTPorHTTPS, and type a wildcard expression in the adjacent field.
- Optional. Choose a method from the drop down list to create an API endpoint: URL + Method.
- By default, thePerform Stagingcheck box is selected. F5 recommends that you keep it selected.
- If the URL is a Wildcard, selectPositional Parametersif you want to create positional parameters in the URL.The Add Segment... button appears in the URL field above.
- ClickAdd Segment...in the URL field and select which to add:TextorParameterand enter your desired segments. You can add multiple text and parameter segments.
- If you want to view more options, next toCreate New Allowed URL, selectAdvanced.
- If the attack signatures included in the security policy apply differently to this allowed URL, you can adjust them on the Attack Signatures tab.
- Ensure thatCheck attack signatures on this URLis selected.
- From theGlobal Security Policy Settingslist, move any attack signatures whose global settings you want to override into theOverridden Security Policy Settingsand adjust the state as needed (fromEnabledtoDisabledor vice versa).
The most common action you perform here is to disable an attack signature for a specific URL.Overridden attack signatures are preceded with a yellow alert triangle in the attack signature list, and you can filter the list to view them. - To process requests for this URL according to the header content, create header-based content profiles.The task,Enforcing requests for HTTP URLs based on header content, provides details on how to do this.
- To protect the application from being able to harbor illegitimate frames and iframes (inline frames) with malicious code in the application, set up protection from clickjacking:
- ForClickjacking Protection, select theEnabledcheck box.
- From theAllow Rendering in Frameslist, select an option to determine whether to allow this URL to be rendered in a frame or iframe.
- For wildcard URLs, leaveWildcard Match Includes Slashesselected.When this option is selected, an asterisk in a wildcard matches any number of path segments (separated by slashes); when cleared, an asterisk matches at most one segment.
- For wildcard URLs, in the Meta Characters tab, you can specify whether to check for meta characters in the URL, and which ones to allow or disallow.
- TheCheck characters on this URLsetting is enabled by default so that the system verifies meta characters in the URL. (If you do not want to check for meta characters, clear the check box and skip to the next step.)
- To specify which meta characters to allow or disallow, from theGlobal Security Policy Settingslist, select any meta characters that you want to specifically allow or disallow, and move them to theOverridden Security Policy Settingslist.
- For each meta character that you moved, set the state toAlloworDisallow.
The Overridden Security Policy Settings take precedence over the global settings for the web application character set. - ClickCreate.The Allowed URLs screen opens and lists the new URL.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy allows requests for the URL or URLs matching the wildcard that you
added. If the URL is in staging, the system informs you when learning suggestions are
available or when it is ready to be enforced.
Wildcard syntax
The syntax for wildcard entities is based on shell-style wildcard characters. This
table lists the wildcard characters that you can use in the names of file types, URLs,
parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character |
Matches |
---|---|
* |
All characters |
? |
Any single character |
[abcde] |
Exactly one of the characters listed |
[!abcde] |
Any character not listed |
[a-e] |
Exactly one character in the range |
[!a-e] |
Any character not in the range |
Allowed HTTP URL properties
These tables describe the properties (both Basic and Advanced settings) that define
HTTP URLs that the security policy will allow.
New allowed HTTP URL properties
Property |
Description |
---|---|
URL |
Specifies an HTTP URL that the security policy allows. The available types are:
|
Protocol |
Specifies whether the protocol for the URL is HTTP or HTTPS. |
Perform Staging |
Specifies that the system places this URL in staging. Learning suggestions
produced by requesting staged URLs are logged in the Learning screens. Review
staging status on the Allowed HTTP URLs screen. If a URL is in staging, point to the
icon to display staging information. When you are no longer getting learning
suggestions, you can disable this setting. If you enforce a URL, this setting is
cleared. |
Check Flows to this URL |
Specifies that the security policy validates flows to the URL (if configured).
If this setting is disabled, the system ignores the flows to the URL. When you
select this check box, additional settings appear. |
URL is Entry Point |
(Visible when Check Flows to this URL is selected.)
Specifies that this URL is a page through which a visitor can enter the web
application. |
URL is Referrer |
(Visible when Check Flows to this URL is selected.)
Specifies that the URL is a URL from which a user can access other URLs in the web
application. |
URL can change Domain Cookie |
Specifies that the security policy does not block an HTTP request where the
domain cookie was modified on the client side. Note that this setting is applicable
only if the URL is a referrer. |
URL with Navigation Parameter |
Specifies that you want to associate a navigation parameter with this URL. You
must have a navigation parameter defined in the security policy to view this
option. |
Select Navigation Parameter |
Specifies a list of navigation parameters that you can associate with this
URL. |
Navigation Parameter Value |
Indicates the value of the navigation parameter. |
Clickjacking Protection |
Specifies that the system adds the X-Frame-Options header to
the domain cookie’s response header. This is done to protect the web application
against clickjacking. Clickjacking occurs when attacker lures a user to
click illegitimate frames and iframes because the attacker hid them on legitimate
visible website buttons. Therefore, enabling this option protects the web
application from other web sites hiding malicious code behind them. The default is
disabled. After you enable this option, you can select whether, and under what
conditions, the browser should allow this URL to be rendered in a frame or
iframe. |
Allow Rendering in Frames |
Specifies the conditions for when the browser should allow this URL to be
rendered in a frame or iframe.
|
Wildcard Match Includes Slashes |
Specifies that an asterisk in a wildcard URL matches any number of path
segments (separated by slashes); when cleared, specifies that an asterisk matches at
most one segment. For example: the wildcard /art/* matches
/art/abc/index.html if the wildcard match includes slashes
(default value), but does not match it if the check box is cleared. In that case, it
matches /art/go.html (only one segment below
/art ). |
HTML5 Cross-Domain Request Enforcement |
CORS (Cross-Origin Resource Sharing) lets one website access the resources of
another website using JavaScript (within the browser). Web applications may share
resources with other websites hosted on a different domain. When the option is
selected, the system protects a specific URL in your web application from
cross-origin resource sharing. You can configure which domains can access the
response generated by requesting this URL (the resource), and how to overwrite CORS
response headers returned by the web server. |
URL Description |
Describes the URL (optional). |
Header-Based Content Profiles
Property |
Description |
---|---|
Request Header Name |
Specifies an explicit header name that must appear in requests for this URL.
This field is not case-sensitive. |
Request Header Value |
Specifies a simple pattern string (glob pattern matching) for the header value
that must appear in legal requests for this URL; for example,
*json* , xml_method? , or
method[0-9] . If the header includes this pattern, the
system assumes the request contains the type of data you select in the
Request Body Handling setting. This field is
case-sensitive. |
Request Body Handling |
Indicates how the system parses the content of requests for the allowed URL:
|
Profile Name |
Specifies the XML, JSON, or GWT profile the security policy uses when examining
requests for this URL if the header content is parsed as XML, JSON, or GWT. You can
also create or view the XML, JSON, or GWT profile from this option. |
HTML5 Cross-Domain Request Enforcement
Property |
Description |
---|---|
Allow HTML5 Cross-Origin Requests |
Allows all CORS requests to this URL, and displays additional settings. |
Allowed Origins |
Allows you to specify a list of origins allowed to share data returned by this
URL. |
Allowed Methods |
Allows you to specify a list of methods that other web applications hosted in
different domains can use when requesting this URL. |
Allowed Headers |
Allows you to specify a list of request headers that other web applications
hosted in different domains can use when requesting this URL. Or you can delete
non-simple headers returned in response to requests. |
Exposed Headers |
Allows you to specify a list of response headers that are safe to expose to
JavaScript, and can be shared with web applications hosted in different domains. Or
you can allow only simple headers to be exposed. |
Allow Credentials |
Specifies whether requests from other web applications hosted in different
domains may include user credentials. |
Maximum Age |
Specifies how long (in seconds) to cache in the browser the results of a
preflight request (a special request that the browser sends to your web application
to determine if JavaScript from another domain may access your resource). |
Meta Characters
Property |
Description |
---|---|
Check characters on this URL |
Specifies that the system verifies meta characters on this wildcard URL. You
can change which meta characters are allowed or disallowed. |
Methods Enforcement
Property |
Description |
---|---|
Override policy allowed methods |
Specifies that the system allows you to override allowed methods for this URL.
When selected, global policy settings for methods are listed, and you can change
what is allowed or disallowed for this URL. |
Learning Settings for HTTP URLs
These settings are on the Learning and Blocking Settings screen.
Setting |
Description |
---|---|
Learn New HTTP URLs |
Specifies how to add, or suggests that you add URLs to the security policy if
you are creating a wildcard URL.
|
Maximum Learned HTTP URLs |
Limits the number of URLs that the security policy allows. The default is
10000 . |
Learn Allowed Methods on URLs |
If selected, when the system learns a new URL with a method, it selects the
override methods enforcement setting. If using automatic learning, suggestions are
made for the new URL only. For manual learning, suggestions are made to add the
method to the URL and to the policy as well. |
Classify Request Content of Learned HTTP URLs |
If the system detects legitimate XML or JSON data for URLs in the security
policy, the system adds or suggests you add XML or JSON profiles to the security
policy and configures their attributes according to the data it detects. |
Collapse many common URLs into one wildcard URL |
Collapses many common explicit URLs into one wildcard URL with a common prefix
and suffix. The system collapses URLs only in the same directory (with the same
prefix path) and the same file extension. The system creates a wildcard with no
slash. |
File types for which wildcard URLs will be configured (e.g.
*.jpg) |
Specifies the file types for which to create a wildcard URL instead of adding
explicit URLs. The system includes several by default. |
Adding disallowed
HTTP URLs
For some web applications, you may want to
deny requests for certain URLs. In this case, you can create a set of disallowed URLs. A
disallowed URL can be an explicit URL or a wildcard. Adding disallowed URLs is useful,
for example, to prevent access to an administrative interface to the web application
such as
/admin/config.php
.- On the Main tab, click.The Disallowed HTTP URLs screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Disallowed HTTP URL screen opens.
- For theURLsetting, selectExplicitorWildcard.If you select Wildcard, select if to leaveWildcard Match Includes Slashesenabled (default) or to disable it.
- SelectHTTPorHTTPSas the protocol for the URL, and type the URL that the security policy considers illegal; for example,/index.html.URLs are case-sensitive unless you cleared theSecurity Policy is case sensitiveoption when you created the policy.
- Optional. Choose a method from the drop down list to create an API endpoint: URL + Method.
- ClickCreate.The Disallowed HTTP URLs screen opens and lists the URL.
- To put the security policy changes into effect immediately, clickApply Policy.
If a requested URL is on the disallowed HTTP URLs list, the system ignores, learns,
logs, or blocks the request depending on the settings you configure for the
Illegal URL
violation on the Learning and
Blocking Settings screen. You can view learning suggestions for disallowed HTTP URLs on
the Traffic Learning screen. Creating allowed WebSocket URLs
You can manually create
allowed WebSocket URLs
, which are URLs from
which the security policy accepts messages over WebSocket connections. You do this if
you have a short list of WebSocket URLs to protect and you know their paths. If
you are using automatic learning, the security policy protects WebSocket URLs
automatically, and you do not have to add them. Learning settings for WebSocket URLs
are on the Learning and Blocking Settings screen.
- On the Main tab, click.The Allowed WebSocket URLs screen opens.
- ClickCreate.The New Allowed WebSocket URL screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Next toCreate New Allowed WebSocket URL, selectAdvanced.
- ForWebSocket URL, choose a type and protocol, and then type the URL name or wildcard.TypeDescriptionExplicitSpecifies a specific WebSocket URL, such as/chat.room.com/websocket. SelectWS(for unencrypted text) orWSS(for encrypted text), and type the URL in the adjacent field.WildcardSpecifies a wildcard expression to represent a number of URLs. Any URL that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as/main/*. SelectWS(for unencrypted text) orWSS(for encrypted text), and type a wildcard expression in the adjacent field.
- Retain the default selectedPerform Stagingcheck box.Keep it selected so you can check for false positives before enforcing the new URL.
- For wildcard WebSocket URLs, leaveWildcard Match Includes Slashesselected.When this option is selected, an asterisk in a wildcard matches any number of path segments (separated by slashes); when cleared, an asterisk matches at most one segment.
- On the Message Handling tab, leaveCheck Message Payloadenabled.Based on the traffic and the selections in thePayload Enforcementsetting, theCheck Message Payloadsetting causes the system to validate the format of WebSocket messages.
- For theWebSocket Extensionslist, leave the default valueRemove Headersto select what happens to messages that have WebSocket extensions.Other options to ignore extensions (Dangerous! Not recommended.) or block messages with extensions are available, but F5 recommends using the default.The system removes theSec-WebSocket-Extensionsheader from the message and allows the WebSocket to be established so messages can be exchanged.
- ForAllowed Message Payload Formats, select the format or formats that you want to enforce for WebSocket messages: clickJSONorBinary.At least one format must be selected. (Initially,Plain Textis always selected.) If you are using a different format and not verifying plain text in messages, you can clearPlain Text.
- ForPayload Enforcement, choose how to validate the message content.
- To verify plain text or JSON formatting, select the previously created content profile, or create a new one.
- To enforce binary messages, forMaximum Binary Message Size, clickLengthand type the largest binary message (in bytes) to allow. The default value is10000bytes.
- ForMaximum Frame Size, adjust the frame size, if necessary.The default value is10000bytes.
- ForMaximum Frames per Fragmented Message, adjust the number, if necessary.The default value is100frames.
- For wildcard WebSocket URLs, on the Meta Characters tab, you can overwrite the global URL character set, and allow or disallow specific meta characters in the WebSocket URL if you need to.
- TheCheck characters on this URLsetting is enabled by default so that the system verifies meta characters in the URL. (If you do not want to check for meta characters, clear the check box and skip to the next step.)
- To specify which meta characters to allow or disallow, from theGlobal Security Policy Settingslist, select any meta characters that you want to specifically allow or disallow, and move them to theOverridden Security Policy Settingslist.
- For each meta character that you moved, set the state toAlloworDisallow.
The Overridden Security Policy Settings take precedence over the global settings for the web application character set. - If your web site uses CORS (Cross-Origin Resource Sharing), click the HTML5 Cross-Domain Request Enforcement tab.
- ForEnforcement Mode, selectEnforce on ASM.
- On the HTML5 Cross-Domain Request Enforcement tab, specify how to enforce CORS on this WebSocket URL. For details, seeSetting Up Cross-Domain Request Enforcement.
- ClickCreate.The Allowed WebSockets URLs screen opens and lists the new WebSocket URL.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy allows requests for the WebSocket URLs that you added. If the
WebSocket URL is in staging, the system informs you when learning suggestions are
available or when it is ready to be enforced.
Adding disallowed
WebSocket URLs
For some web applications, you might want to
deny requests for certain WebSocket URLs. In this case, you can create a set of
disallowed WebSocket
URLs. Disallowed
WebSocket URLs can
be explicit or a wildcard.
- On the Main tab, click.The Disallowed WebSocket URLs screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Disallowed WebSocket URL screen opens.
- For theWebSocket URL (Explicit only)setting, selectExplicitorWildcard. If you select Wildcard, select if to leaveWildcard Match Includes Slashesenabled (default) or to disable it.
- SelectWSorWSSas the protocol for the URL, and type the WebSocket URL that the security policy considers illegal; for example,/index.html.URLs are case-sensitive unless you cleared theSecurity Policy is case sensitiveoption when you created the policy.
- ClickCreate.The Disallowed WebSocket URLs screen opens and lists the URL.
- To put the security policy changes into effect immediately, clickApply Policy.
If a requested URL is on the disallowed WebSocket URLs list, the system ignores,
learns, logs, or blocks the request depending on the settings you configure for the
Illegal URL
violation on the Learning
and Blocking Settings screen. You can view learning suggestions for disallowed WebSocket
URLs on the Traffic Learning screen. Enforcing requests for HTTP URLs based on header content
Before you can enforce requests for URLs using header content, you need to have
added an allowed HTTP URL.
When you manually create a new allowed HTTP URL, the system reviews requests for
the URL using HTTP parsing. The system automatically creates a default header-based
content profile for HTTP, and you cannot delete it. However, requests for an URL may
contain other types of content, such as JSON, XML, or other proprietary formats.
You
can use header-based content profiles to configure how the system recognizes and
enforces requests for this URL according to the header content in the request. You
can also use header-based content profiles to block traffic based on the type of
header and header value in requests for a URL.
- On the Main tab, click.The Allowed HTTP URLs screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- In the Allowed URLs List, click the name of the URL for which you want to specify legal header content.The Allowed HTTP URL Properties screen opens where you can modify the properties of the URL.
- From theAllowed URL Propertieslist, selectAdvanced.
- On the Header-Based Content Profiles tab, specify the header and value as follows:
- In theRequest Header Namefield, type the explicit header name that must appear in requests for this URL. This field is not case-sensitive.
- In theRequest Header Valuefield, type the pattern string for the header value to find in legal requests for this URL, for example,*json*,xml_method?, ormethod[0-9]. This field is case-sensitive.If a header value includes this pattern, the system assumes that the request contains the type of data you select in theRequest Body Handlingsetting.
- From theRequest Body Handlinglist, specify how the system recognizes and enforces requests for this URL according to the requests’ header content:OptionResultApply Content SignaturesDo not parse the content; scan the entire payload with full-content attack signatures.Apply Value and Content SignaturesDo not parse the content or extract parameters; process the entire payload with value and full-content attack signatures. This option provides basic security for protocols other than HTTP, XML, JSON, and GWT; for example, use*amf*as the header value for a content-type of Action Message Format.DisallowBlock requests for an URL containing this header content. The system logs theIllegal Request Content Typeviolation.Do NothingDo not inspect or parse the content. Handle the header of the request as specified by the security policy.Form DataParse content as posted form data in either URL-encoded or multi-part formats. Enforce the form parameters according to the policy.GWTExamine data in requests, based on the configuration of a GWT (Google Web Toolkit) profile associated with this URL.JSONExamine JSON data using an associated JSON profile, and use value attack signatures to scan the element values.XMLExamine XML data using an associated XML profile.
- If the content is GWT, JSON, or XML, forProfile Name, select an existing profile or click the Create (+) button to create one. (The other options do not require special profiles.)
- ClickAdd.
- ClickUpdate.
- To put the security policy changes into effect immediately, clickApply Policy.
If the system detects a request for a URL that contains header content that is
disallowed in the URL's Header-Based Content Profile, the
Illegal request content
type
violation occurs.Specifying characters legal in URLs
When you create a security policy, you select a language encoding (or let the
system determine it automatically) that determines the characters that can be used in
URLs. You can view or modify which characters the security policy allows or disallows in
URLs.
- On the Main tab, click.The URLs Character Set screen opens, where you can view the character set, and state of each character.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Use theViewfilter to display the set of characters that you want to see.To restore the default character set definitions, you can click theRestore Defaultsbutton at any time.
- To modify which characters the system should permit or prohibit in the name of a wildcard URL, clickAlloworDisallownext to the character.
- ClickSaveto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy checks that URLs in requests do not include any disallowed
characters. For example, by disallowing the characters <, >, ', and |, a security
policy protects against many cross-site scripting attacks and injection attacks.
Overriding methods on URLs
You can define a list of methods that are allowed or disallowed for a specific URL.
The list overrides the list of methods allowed or disallowed globally at the policy
level.
If you are using automatic learning, on the Learning and Blocking Settings
screen, under URLs, you can select
Learn Methods on URLs
; the
system automatically learns overridden methods at the URL level. In that case, you
do not need to perform this task.- On the Main tab, click.The Allowed HTTP URLs screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- From the Allowed HTTP URLs List, click the name of the URL you want to modify.The Allowed HTTP URL Properties screen opens.
- From theAllowed URL Propertieslist, selectAdvanced.
- Toward the bottom of the screen, click the Methods Enforcement tab.
- Select theOverride policy allowed methodscheck box.
- In the Method Enforcement tab, from theGlobal Security Policy Settingslist, select any specific methods that you want to enable or disable for this URL, and then move them into theOverridden Security Policy Settingslist.The screen lists the methods in the state opposite from the global setting.
- If the method you want to override is not listed, clickCreate Custom Methodto add a new method to the security policy. Type the method name, and select whether the new method should act as GET or POST.
- ClickUpdate.
- To put the security policy changes into effect immediately, clickApply Policy.
The methods you selected are treated differently for this URL than for the rest of
the security policy. If the method causes an
Illegal method
violation due
to URL level enforcement, the description reads Illegal method for URL
.
(If the violation is caused at the policy level, the description reads Illegal
method for policy
.) If the URL is in staging, and the violation is due to
override, the violation does not block even if it is in blocking mode.Configuring flows
to URLs
Before you can configure a flow, you should have created the explicit HTTP URL for
which you want to add the flow.
A
flow
defines
the access path leading from one explicit HTTP URL to another, between a referrer URL
and a target URL in a web application. For example, a basic web page may include a
graphic and hyperlinks to other pages in the application. The calls from the basic page
to the other pages make up the flow. You can configure flows to a URL.Configuring
flows is an optional task. Unless you need the enhanced security of configured
flows, F5 Networks recommends that you do not configure flow-based security policies
due to their complexity.
- On the Main tab, click.The Allowed HTTP URLs screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- From the Allowed HTTP URLs List, click the name of the URL you want to modify.The Allowed HTTP URL Properties screen opens.
- From theAllowed URL Propertieslist, selectAdvanced.
- If you want the system to verify flows to this URL, select theCheck Flows To URLcheck box.
- On the menu bar, clickFlows to URL.The Flows to URL screen opens and shows the flows to that specific URL.
- Above the Flows to URL area, clickCreate.The Create a New Flow popup screen opens.
- For theReferrer URLsetting, specify how the client enters the application.
- If you want the client to enter the application from this URL, selectEntry Point.
- To specify the path of a referrer URL that refers to other URLs in the application, selectURL Path; for example, type/index.html.
- From theProtocollist, select the appropriate protocol,HTTPorHTTPS.
- From theMethodlist, select the HTTP method that the URL expects a visitor to use to access the authenticated URL, for example,GETorPOST.
- In theFrame Targetfield, type the index (0-29, or99) of the HTML frame in which the URL belongs, if the web application uses frames.If your web application does not use frames, type the value1.
- If this flow can contain a query strings or POST data, select theAllow QS/PDcheck box.
- If you want the system to verify query strings or POST data for this flow, select theCheck QS/PDcheck box.
- ClickOK.The popup screen closes, and on the Flows to URL screen, you see the HTTP URLs from which the URL can be accessed.
- To view the entire application flow, click.
- To view the flow or modify the flow properties, click the URL in the Flows list.
- To put the security policy changes into effect immediately, clickApply Policy.
You now have the option of creating parameters that are associated with the
flow.
Creating flow parameters
Before you can create a flow parameter, you need to first have created the flow to
which the parameter applies. If the source URL is a referrer URL, that HTTP URL must
already be defined in the security policy as well.
You define parameters in the context of a flow when it is important to enforce that
the target HTTP URL receives a parameter only from a specific referrer URL. Flow
parameters provide very tight, flow-specific security for web applications. With this
increased protection comes an increase in maintenance and configuration time. Note that
if your application uses dynamic parameters, you need to manually add those to the
security policy.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Add Parameter screen opens.
- In the Create New Parameter area, for theParameter Namesetting, specify the type of parameter you want to create.
- To create a named parameter, selectExplicit, then type the name.
- To use pattern matching, selectWildcard, then type a wildcard expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
- To create an unnamed parameter, selectNo Name. The system creates a parameter with the label,UNNAMED.
- In theParameter Levelsetting, selectFlow, and then forFrom URLdefine where the flow must come from:
- If the source URL is an entry point, clickEntry Point.
- If the source URL is a referrer URL (already defined in the policy), clickURL Path, select the protocol used for the URL, then type the referrer URL associated with the flow.
When you begin to type the URL, the system lists all referrer URLs that include the character you typed, and you can select the URL from the list. - In theParameter Levelsetting, forMethod, select the HTTP method (GETorPOST) that applies to the target referrer URL (already defined in the policy).
- In theParameter Levelsetting, forTo URL, select the protocol used for the URL, then type the target URL.
- Leave thePerform Stagingcheck box selected if you want the system to evaluate traffic before enforcing this parameter.Staging helps reduce the occurrence of false positives.
- If the parameter is required in the context of the flow, select theIs Mandatory Parametercheck box.Note that only flows can have mandatory parameters.
- Specify whether the parameter requires a value:
- If the parameter is acceptable without a value, leave theAllow Empty Valuesetting enabled.
- If the parameter must always include a value, clear theAllow Empty Valuecheck box.
- To allow users to send a request that contains multiple parameters with the same name, select theAllow Repeated Occurrencescheck box.Before enabling this check box, consider that requests containing multiple parameters of the same name could indicate an attack on the web application (HTTP Parameter Pollution).
- If you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface), enable theMask Value in Logssetting.
- For theParameter Value Typesetting, select the format of the parameter value.Depending on the value type you select, the screen refreshes to display additional configuration options.
- ClickCreateto add the new parameter to the security policy.
- To put the security policy changes into effect immediately, clickApply Policy.
When you create a parameter that is associated with a flow, the system verifies the
parameter in the context of the flow. For example, if you define a parameter in the
context of a GET request, and a client sends a POST request that contains the parameter,
the system generates an
Illegal Parameter
violation.Configuring dynamic
flows to URLs
Before you can configure a dynamic flow, you must have created the explicit HTTP URL
for which you want to add the dynamic flow.
Some web applications contain HTTP URLs with
dynamic names, for example, the links to a server location for file downloads, where the
file name may be unique to each user. You can configure the system to detect these URLs
by creating a dynamic flow. For the dynamic flow, you specify a regular expression that
describes the dynamic name, and associate the flow with the URL.
- On the Main tab, click.The Allowed HTTP URLs screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- From the Allowed HTTP URLs List, click the name of the URL you want to modify.The Allowed HTTP URL Properties screen opens.
- On the menu bar, clickDynamic Flows from URL.The Flows to URL screen opens and shows the flows to that specific URL.
- Above the Dynamic Flows to URL area, clickCreate.The Create a New Dynamic Flow popup screen opens.
- In thePrefixfield, type a fixed substring that appears near the top of the HTML source page before the dynamic URL.The prefix may be the name of a section in combination with HTML tags, for example,<title>Online Banking</title>.
- For theRegExpValuesetting, type a regular expression that specifies the set of URLs that make up the dynamic flow, for example, a set of archive files.
- For theSuffixsetting, type a fixed string that occurs in the referring URL’s source code, and is physically located after the reference to the dynamic name URL.
- ClickOK.The popup screen closes, and on the Dynamic Flows from URL screen, you see the dynamic flow extraction properties.
- To put the security policy changes into effect immediately, clickApply Policy.
The regular expression describes the dynamic URL name. The Application Security Manager
extracts dynamic URL names from the URL responses associated with the dynamic flow.
Configuring dynamic
session IDs in URLs
If an application uses dynamic information in URLs
(for example, user names), the Application Security Manager cannot use its normal
functions to extract and enforce HTTP URLs or flows because the URI contains a dynamic
element. If the web application that you are securing could contain dynamic information
in a URL, you can allow dynamic session IDs in URLs. (You only need to configure this
setting if you know that your application works this way.)
- On the Main tab, click.The Policies List screen opens.
- Click the name of the security policy you want to work on.The Policy Summary screen opens.
- From the list, selectAdvanced.
- For theDynamic Session ID in URLsetting, specify how the security policy should process URLs that use dynamic sessions.Use this optionWhenCustom patternThe security policy uses a user-defined regular expression to recognize a dynamic session ID in URLs. Type a regular expression in theValuefield, and a description in theDescriptionfield.Default patternThe security policy uses the default regular expression (\/sap\([^)]+\)) for recognizing dynamic session IDs in URLs.DisabledThe security policy does not enforce dynamic session IDs in URLs. This is the default value.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
Normally, if the system receives a request in which the dynamic
session information does not match the settings in the security policy, the system
issues the
Illegal session ID in URL
violation. When you allow dynamic session IDs in URLs, ASM extracts the dynamic
session information from requests or responses, based on the pattern that you
configure. For requests, the system applies the pattern to the URI up to, but not
including, the question mark (?) character in a query string. The system can extract dynamic information only from illegal URLs.
Adding Cookies
About cookies
Many web-based applications use cookies to help users navigate the web site efficiently and
perform certain functions. For example, web servers may use cookies to authenticate users logging
in to secure applications, or an application can use cookies to store user preferences. Whether
using automatic policy building or manually creating a security policy, you may want to add
cookies that the web application uses.
You may want a security policy to ignore certain known and recognized cookie headers that are
included in HTTP requests. For example, if cookies can change on the client side legitimately,
you can create
allowed cookies
.You may also want a security policy to prevent changes to specific cookies, such as
session-related cookies that are set by the application. If so, you can create
enforced
cookies
. The cookie in the request must not be modified, or it generates the Modified
Domain Cookie violation.In addition, some PHP applications treat cookies as parameters and use the value of the cookie
as input to the application. For that reason, you can have the system check attack signatures on
the cookie (as you can for parameters). You can apply attack signatures only to allowed cookies,
because enforced cookies are set by the server, and therefore, are considered to be secure.
Both allowed and enforced cookies can be put in staging when they are created so that you can
make sure that they do not cause false positives during the staging period.
If you are using automatic policy building, the security policy adds cookies automatically. If
manually building a security policy, the manual traffic learning screens suggest cookies to add.
About pure wildcard cookies
When you create a security policy, it includes a pure wildcard (*) and it is created as an
allowed cookie in the Allowed Cookies list. You cannot delete the pure wildcard from the security
policy but you can change its type from allowed to enforced. The allowed cookie wildcard allows
all cookies, and you can specify which cookies the users cannot change in the enforced cookies
list .This is considered a negative security model, because you allow all cookies except the ones
you specify.
However, new cookies are added to the security policy (or not) based on the
Learn
New Cookies
value of the matched wildcard in the Learning and Blocking settings. The
value can be Never (wildcard only)
or Selective
.
The default value differs depending on the deployment scenario you use to create the policy. The following deployments create pure wildcard cookies using the value
Never
(wildcard only)
, thus they do not add (or suggest to add) explicit cookies to the
security policy:- All templates (including Rapid Deployment policy)
- Automatic policy building with Fundamental policy template
- Vulnerability assessment
All other policy templates create the pure wildcard cookie with
Learn New
Cookies
set to Selective
. So it adds (if building the policy
automatically) or suggests to add (if building the policy manually) explicit cookies encountered
in the traffic to the security policy. In
Selective
mode, the system learns cookies that violate the settings
of the wildcard. In particular, cookies that do not change are learned as enforced cookies. Most
cookies are added to the security policy as allowed cookies, and are checked for the configured
signature set. These are captured by the * pure wildcard. The exceptions are the enforced cookies
and cookies that need to be exempted from some of the signature checks. These are whitelisted. Wildcard syntax
The syntax for wildcard entities is based on shell-style wildcard characters. This
table lists the wildcard characters that you can use in the names of file types, URLs,
parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character |
Matches |
---|---|
* |
All characters |
? |
Any single character |
[abcde] |
Exactly one of the characters listed |
[!abcde] |
Any character not listed |
[a-e] |
Exactly one character in the range |
[!a-e] |
Any character not in the range |
About cookies and
learning
When you create a security policy that includes cookies, the system adds new
cookies (or suggests that you add them) to the security policy (or not) based on the Learn New
Cookies value. The value can be Never (do not add cookies) or Selective (add cookies that match
the wildcard). The default value differs depending on the policy template you use to create the
policy.
The following deployments create pure wildcard cookies using the value
Never, thus they do not add (or suggest to add) explicit cookies to the security policy by
default:
- Rapid Deployment policy
- Automatic policy building with Fundamental policy type
- Vulnerability assessment
All other templatex create the pure wildcard cookie with Learn New Cookies
set to Selective. So the system adds (if building the policy automatically) or suggests to add
(if building the policy manually) explicit cookies encountered in the traffic to the security
policy.
You could start by having the wildcard set to selective in the allowed
cookies, get a list of all the cookies that your web application uses, then move them to the
enforced list. This would make it easier to add the cookies that your web application uses and
that you want to enforce to the security policy.
About adding
cookies
Application Security Manager™ (ASM)
allows you to add cookies with different characteristics to security policies.
You can specify the cookies that you want to allow, and the ones you want to
enforce in a security policy:
- Allowed cookies: The system allows these cookies and clients can change them.
- Enforced cookies: The system enforces the cookies in the list (not allowing clients to change them) and allows clients to change all others.
If the cookies in the web application change, you can edit or delete the
cookies.
Adding allowed
cookies
You manually add allowed cookies to a security
policy when you want a security policy to ignore those cookies. You may want to add
allowed cookies for certain known and recognized cookie headers that are often included
in HTTP requests. For example, if clients can change certain cookies legitimately and
they are not session-related (like cookies assigned by single sign-on servers), you can
specify these cookies as allowed in the security policy.
- On the Main tab, click.The Cookies List screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Cookie screen opens.
- ForCookie Nameidentify the cookie.
- From the list, select whether the system identifies the cookie by a specific name (Explicit), or by a regular expression (Wildcard).The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as*site.com.
- In the field, type either the name of the cookie, or the pattern string for the wildcard to match cookie names.
- ForCookie Type, selectAllowed.
- Leave thePerform Stagingcheck box selected if you want the security policy to evaluate traffic before enforcing this entity.Staging helps reduce the occurrence of false positives.
- If you want the system to add the HttpOnly attribute to the response header of the domain cookie, select theInsert HttpOnly attributecheck box.This attribute prevents the cookie from being modified or intercepted on the client side, by unwanted third parties that run scripts on the web page. The client's browser allows only pure HTTP or HTTPS traffic to access the protected cookie.
- If you want the system to add the SameSite attribute to the response header of the domain cookie, selectInsert SameSite attribute.This attribute allows servers to instruct the browser not to send cookies along with cross-site requests. This assertion allows mitigation of CSRF attacks. The Strict option instructs the browser not to send the cookie with any cross-site request, even when the user follows a link. The Lax option allows some cross-site usage.If multiple SameSite attributes are present, the browser will implement the strictest value. If the SameSite attribute was set by an application, the system will add another attribute-value pair at the end only if the policy setting is more strict than all SameSite attribute values in the request. If the last attribute value is the same as in the policy, no insertion will be done. The system allows making enforcement more strict, but not more relaxed.
- If you want the system to add the Secure attribute to the response header of the domain cookie, select theInsert Secure attributecheck box.This attribute ensures that cookies are returned to the server only over SSL, which prevents the cookie from being intercepted. It does not, however, guarantee the integrity of the returned cookie.
- If this is a custom cookie that may include base64 encoding, select theBase64 Decodingcheck box.If the cookie contains a Base64 encoded string, the system decodes the string and continues with its security checks.
- To adjust the attack signature settings for this cookie, use the Attack Signatures tab. Tip: The most common action you perform here is to disable a specific attack signature for a specific cookie.
- If you want to override the attack signature settings for this cookie, select theCheck attack signatures on this cookiecheck box.When this option is selected, the system displays a list of attack signatures.
- From theGlobal Security Policy Settingslist, move any attack signatures whose global settings you want to override into theOverridden Security Policy Settingsand adjust the state as needed.
- ClickCreate.The new cookie is created and added to the list.
- To put the security policy changes into effect immediately, clickApply Policy.
The system ignores allowed cookies in requests, and allows clients to change allowed
cookies in the list.
Adding enforced
cookies
You manually add enforced cookies to a security
policy when you want a security policy to prevent clients from changing those
cookies.
- On the Main tab, click.The Cookies List screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Cookie screen opens.
- ForCookie Nameidentify the cookie.
- From the list, select whether the system identifies the cookie by a specific name (Explicit), or by a regular expression (Wildcard).The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as*site.com.
- In the field, type either the name of the cookie, or the pattern string for the wildcard to match cookie names.
- ForCookie Type, selectEnforced.
- Leave thePerform Stagingcheck box selected if you want the security policy to evaluate traffic before enforcing this entity.Staging helps reduce the occurrence of false positives.
- If you want the system to add the HttpOnly attribute to the response header of the domain cookie, select theInsert HttpOnly attributecheck box.This attribute prevents the cookie from being modified or intercepted on the client side, by unwanted third parties that run scripts on the web page. The client's browser allows only pure HTTP or HTTPS traffic to access the protected cookie.
- If you want the system to add the Secure attribute to the response header of the domain cookie, select theInsert Secure attributecheck box.This attribute ensures that cookies are returned to the server only over SSL, which prevents the cookie from being intercepted. It does not, however, guarantee the integrity of the returned cookie.
- ClickCreate.The new cookie is created and added to the list.
- To put the security policy changes into effect immediately, clickApply Policy.
If a request contains a modified or unsigned enforced cookie header and the Modified
domain cookie(s) violation is set to alarm or block, the system logs and/or blocks the
request (when the system is in blocking mode). Note that the request is not blocked if
the enforced cookie is in staging, or if the security policy is in transparent
mode.
Changing the order
in which wildcard cookies are enforced
If you create several wildcard cookies, the
security policy adds each new one to the top of the wildcard cookies list. The cookie
wildcards are enforced from the top of the list down. You can change the order in which
a security policy enforces wildcard cookies.
- On the Main tab, click.The Cookie Wildcards Order screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- In theWildcard Cookieslist, adjust the order of the cookie wildcards by using theUpandDownbuttons putting the cookies you want to enforce first at the top of the list.
- ClickSaveto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
The system enforces the cookie wildcards from the top down.
Editing cookies
You can edit cookies as required by changes in the web application that the
security policy is protecting.
- On the Main tab, click.The Cookies List screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Select either the Enforced Cookies or Allowed Cookies tab to locate the cookie you want to edit.
- In the Cookie Name column, click the cookie name.The Edit Cookie screen opens.
- In the Cookie Properties area, make the required changes to the cookie.
- ClickUpdateto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
Deleting cookies
You can delete cookies that are no longer needed in your security policy. If a
cookie changes in your application, you may want to delete the old cookie and let Application Security Manager add the new cookie (or suggest adding
it).
- On the Main tab, click.The Cookies List screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Select either the Enforced Cookies or Allowed Cookies tab to locate the cookie you want to edit.
- In the Enforced Cookies or Allowed Cookies list, select the check box next to the cookie you want to delete.
- ClickDeleteto delete the entity, and clickOKwhen asked to confirm.
- To put the security policy changes into effect immediately, clickApply Policy.
Specifying when to add explicit cookies
You can specify the circumstances under which Application Security
Manager adds, or suggests you add, explicit cookies to the security policy.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ExpandCookies, in theLearn New Cookiessetting, select the option you want.OptionDescriptionNever (wildcard only)The system does not add or suggest that you add cookies that match the wildcard to the policy. When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option results in a security policy that is easy to manage but may not be as strict.SelectiveThe system adds or suggests that you add cookies that match the wildcard to the policy. When false positives occur, the system adds or suggests that you add an explicit entity with relaxed settings that avoid the false positive. This option provides a good balance between security, policy size, and ease of maintenance.
- ClickSaveto save the changes.
- To put the security policy changes into effect immediately, clickApply Policy.
Configuring the
maximum cookie header length
You specify a maximum cookie header
length so that the system knows the acceptable maximum length for the cookie
header in an incoming request. This setting is useful primarily in
preventing buffer overflow attacks.
- On the Main tab, click.The Policies List screen opens.
- Click the name of the security policy you want to work on.The Policy Summary opens.
- From the list, selectAdvanced.
- For theMaximum Cookie Header Lengthsetting, select one of the options.OptionDescriptionAnySpecifies that the system accepts requests with cookie headers of any length.Lengthwith a value in bytesSpecifies that the system accepts cookie headers up to that length. The default maximum length is8192bytes.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
The system calculates and enforces the cookie header
length based on the sum of the length of the cookie header name and
value. Requests with headers that are longer than the maximum length
cause an Illegal header length violation.
Overview: Configuring advanced cookie protection
Many of the Application Security Manager™ (ASM) security features store
ASM™ cookies on clients as part of the traffic security enforcement.
Examples of security features that use cookies for validation are cookie enforcement, parameter
enforcement, CSRF protection, login enforcement, session tracking, and anomaly detection. Cookie
enforcement is also called
domain cookies
; cookies for the other features are called
other ASM cookies
. The system applies a random security key unique to each deployment and uses it in conjunction with an encryption algorithm. The combination of the randomly generated key and the selected algorithms is called the
security context
. Normally, you do not have to change the cookie protection settings. However, in cases where you suspect a security breach has occurred, or if you want a different balance between speed and security, you can reconfigure cookie protection.By default, when you initially start the system, it automatically generates a security key and
sets the cookie security level to secure. You can change the encryption schema to provide faster
cookie protection by reconfiguring cookie protection.
If you want to use the same security context on other systems, you can set up advanced cookie
configuration settings on one BIG-IP system and export them. You can then
import the settings on the other systems. You can configure all your systems to use the same
cookie protection, or apply different settings to the systems. However, if you have multiple ASM-enabled devices that share traffic (and are not synchronized using device groups), it is recommended that those systems should all use the same cookie protection settings.
If synchronizing multiple ASM systems using device groups, you can configure the settings you
want to use for all systems on one and then synchronize the systems.
Reconfiguring cookie protection
Application Security Manager (ASM) automatically configures
cookie protection. If you need to adjust cookie protection due to a security breach or
because you want to change the current protection level, you can reconfigure cookie
protection.
This is an advanced configuration task that is required
only in special circumstances.
- On the Main tab, click.The Cookie Protection screen opens.
- Review the data and time specified in theLatest Generation/Import Configuration Timesetting to see when cookie protection was last configured.
- To review the details of the cookie protection, clickView Algorithms Configuration.The screen shows the specific algorithms the system uses to protect domain and other ASM cookies.
- If you decide that you want to change the cookie configuration, clickReconfigure Cookie Protection.The Reconfigure Cookie Protection screen opens.
- ForGrace Period Until signing with new Security Context, type the amount of time in minutes that must pass before the system begins signing ASM cookies with the new key and algorithm that you are configuring.The default value is30minutes. Initially when you start the system, this is the period the system waits to apply the new security context for the new release.
- ForGrace Period To Accept Old Cookies, type the amount of time in minutes that must pass before the system stops accepting traffic with ASM cookies that use the old key and algorithm.The default value is2880minutes (48 hours).
- ForAlgorithm Selection, select the overall cookie security level to apply:SecureorFast.TheSecuresetting uses more system resources.Changing this setting changes the Scramble and Mac algorithms used for cookie protection.
- If you want to review the actual algorithms used for the cookies, you can do this:
- For theCookie Protection Configurationsetting, selectAdvanced.The screen shows additional settings.
- Review the scramble and Mac algorithms used for the domain cookies and other ASM cookies, and adjust them if needed.If you use settings other than the defaults, theAlgorithm Selectionchanges toCustom.
- ClickReconfigure.The system regenerates a new security context but waits to start using it until it surpasses the grace period until signing value.
- If you need to extend either of the grace periods, clickExtendand type the number of minutes to add and clickSave.
Importing cookie
protection configuration
If you want to use the same cookie configuration
settings on more than one Application Security Manager (ASM) system (especially systems
that share traffic), you can export the settings from one system and import them onto
another one. This task explains how to import the settings.
- On the Main tab, click.The Cookie Protection screen opens.
- ClickImport.The Import Cookie Protection Configuration screen opens.
- From theImport Methodlist, selectUpload fileand locate the previously exported configuration file.The exported file has a name such asASM_Cookie_Protection_Configuration_2013-08-15_08-22.txt.
- To review the details of the cookie protection, clickView Algorithms Configuration.The screen shows the specific algorithms the system uses to protect domain and other ASM cookies.
- ForGrace Period Until signing with new Security Context, type the amount of time in minutes that must pass before the system begins signing ASM cookies with the new key and algorithm that you are configuring.The default value is30minutes. Initially when you start the system, this is the period the system waits to apply the new security context for the new release.
- ForGrace Period To Accept Old Cookies, type the amount of time in minutes that must pass before the system stops accepting traffic with ASM cookies that use the old key and algorithm.The default value is2880minutes (48 hours).
- ClickImport.The system imports the security context but waits to start using it until the grace period until signing is up.
- If you need to extend either of the grace periods, clickExtendand type the number of minutes to add and clickSave.
Exporting cookie protection configuration
If you want to use the same cookie configuration settings on more than one Application Security Manager system, you can export the settings from one system and import them onto another one. This task explains how to export the settings to a file.
- On the Main tab, click.The Cookie Protection screen opens.
- ClickExport.The system exports the cookie protection configuration to a file with a name such asASM_Cookie_Protection_Configuration_2013-08-15_08-22.txt.
Adding Allowed Methods to a Security Policy
Adding allowed
methods
All security policies accept standard HTTP methods
by default. If your web application uses HTTP methods other than the default allowed
methods (GET, HEAD, and POST), you can add them to the security policy.
- On the Main tab, click.The Methods screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.
- For theMethodsetting, select the type of method to allow:
- To use an existing HTTP method to act as a GET or POST action, selectPredefinedthen select the system-supplied method to add to the allowed methods list.
- To add an option that is not predefined, selectCustom, and then in theCustom Methodfield, type the name of a method.
- If using flows in the security policy, from theAllowed Method Propertieslist, selectAdvanced, then from theAct as Methodlist, select an option:
- If you do not expect requests to contain HTTP data following the HTTP header section, selectGET.
- If you expect requests to contain HTTP data following the HTTP header section, selectPOST.
- ClickCreate.
- To put the security policy changes into effect immediately, clickApply Policy.
The method is added to the allowed methods list. The system treats any incoming HTTP
request that uses an HTTP method other than an allowed method as an invalid request. The
system ignores, learns, logs, or blocks the request depending on the settings configured
for the
Illegal Method
violation under
Headers on the Learning and Blocking Settings screen.