F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Application Security Manager: Implementations
  3. Adding JSON Support to an Existing Security Policy
Manual Chapter : Adding JSON Support to an Existing Security Policy

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Adding JSON Support to an Existing Security Policy

Overview: Adding JSON support to existing security policies

JSON (JavaScript® Object Notation) is a data-interchange format often used to pass data back and forth between an application and a server. This implementation describes how to add JSON support to an existing security policy for an application that uses JSON for data transfer. You create a JSON profile to define what the security policy enforces and considers legal when it detects traffic that contains JSON data.
You add JSON support to a security policy by completing these tasks.

Creating a JSON profile

Before you can complete this task, you need to have already created a security policy for your application.
This task describes how to create a JSON profile that defines the properties that the security policy enforces for an application sending JSON payloads or WebSocket payloads in JSON format.
The system supports JSON in UTF-8 and UTF-16 encoding. WebSocket allows only UTF-8.
  1. On the Main tab, click
    Security
    Application Security
    Content Profiles
    JSON Profiles
    .
  2. Click
    Create
     to create a new JSON profile, or edit the
    Default
    JSON profile (by clicking it).
    The Create New JSON Profile screen opens.
  3. Type a name for the profile.
  4. Adjust the maximum values that define the JSON data for the AJAX application, or use the default values.
  5. If you want the system to tolerate and not report warnings about JSON content, select the
    Tolerate JSON Parsing Warnings
     check box.
    If the system cannot parse JSON content, it generates the violation
    Malformed JSON data
    , regardless of whether this setting is enabled or disabled.
  6. To parse parameters in a JSON payload as parameters (recommended), ensure that
    Parse Parameters
     is enabled.
    The system extracts parameters from JSON content whenever the JSON profile is used; for example, with URLs, WebSocket URLs, or parameters that use a JSON profile.
    The security policy parses parameters extracted from the JSON payload the same as other parameters. Also, the Attack Signatures, Value Metacharacters, and Sensitive Data Configuration tabs are removed from the screen, so you can skip to the last step.
  7. If the signatures included in the security policy are not sufficient for this JSON profile, you can change them.
    1. On the Attack Signatures tab, in the
      Global Security Policy Settings
       list, select any specific attack signatures that you want to enable or disable for this profile, and then move them into the
      Overridden Security Policy Settings
       list.
      If no attack signatures are listed in the
      Global Security Policy Settings
       list, create the profile, update the attack signatures, then edit the profile.
    2. After you have moved any applicable attack signatures to the
      Overridden Security Policy Settings
       list, enable or disable each of them as needed:
      • Enabled
         - Enforces the attack signature for this JSON profile, although the signature might be disabled in general. The system reports the violation
        Attack Signature Detected
         when the JSON in a request matches the attack signature.
      • Disabled
         - Disables the attack signature for this JSON profile, although the signature might be enabled in general.
  8. To allow or disallow specific meta characters in JSON data (and thus override the global meta character settings), click the Value Meta Characters tab.
    • Select the
      Check characters
       check box, if it is not already selected.
    • Move any meta characters that you want allow or disallow from the
      Global Security Policy Settings
       list into the
      Overridden Security Policy Settings
       list.
    • In the
      Overridden Security Policy Settings
       list, change the meta character state to
      Allow
       or
      Disallow
      .
  9. To mask sensitive JSON data (replacing it with asterisks), click the Sensitive Data Configuration tab.
    • In the
      Element Name
       field, type the JSON element whose values you want the system to consider sensitive.
    • Click
      Add
      .
    If the JSON data causes violations and the system stops parsing the data part way through a transaction, the system masks only the sensitive data that was fully parsed.
    Add any other elements that could contain sensitive data that you want to mask.
  10. Click
    Create
     (or
    Update
     if editing the Default profile).
    The system creates the profile and displays it in the JSON Profiles list.
This creates a JSON profile that affects the security policy when you associate the profile with a URL, WebSocket URL, or parameter.
Next, you need to associate the JSON profile with any URLs, WebSocket URLs, or parameters that might include JSON data.

Associating a JSON profile with a URL

Before you can associate a JSON profile with a URL, you need to have created a security policy with policy elements including application URLs, and the JSON profile.
You can associate a JSON profile with one or more explicit or wildcard URLs.
  1. On the Main tab, click
    Security
    Application Security
    URLs
    .
  2. In the
    Current edited security policy
     list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. From the Allowed URLs List, click the name of a URL that might contain JSON data.
    The Allowed URL Properties screen opens.
  4. Next to
    Allowed URL Properties
    , select
    Advanced
    .
    The screen refreshes to display additional configuration options.
  5. Click the
    Header-Based Content Profiles
     tab, and in the
    Request Header Name
     field, type the explicit string or header name that defines when the request is treated as the
    Parsed As
     type; for example,
    content-type
    .
    This field is not case sensitive.
    If the URL always contains JSON data, for
    Request Body Handling
     select
    JSON
    .
  6. In the
    Request Header Value
     field, type the wildcard (including *, ?, or [chars]) for the header value that must be matched in the
    Request Header Name
     field; for example,
    *json*
    .
    This field is case sensitive.
  7. From the
    Request Body Handling
     list, select
    JSON
    .
    The system automatically creates a
    Default
     JSON profile, and assigns it as the profile when you select
    JSON
     in this field.
  8. From the
    Profile Name
     list, either leave the default, select a JSON profile appropriate for this URL, or click
    Create
     to quickly create a new JSON profile.
  9. Click
    Add
    .
    Add as many header types as you need to secure this URL, clicking
    Add
     after specifying each one.
  10. To override the global meta character settings for this URL, adjust the meta character policy settings:
    • In the Meta Characters tab, select the
      Check characters on this URL
       check box, if it is not already selected.
    • Move any meta characters that you want allow or disallow from the
      Global Security Policy Settings
       list into the
      Overridden Security Policy Settings
       list.
    • In the
      Overridden Security Policy Settings
       list, change the meta character state to
      Allow
       or
      Disallow
      .
  11. Click
    Update
    .
  12. To put the security policy changes into effect immediately, click
    Apply Policy
    .
The JSON profile is associated with the URL.
Continue to associate JSON profiles with any URLs in the application that might contain JSON data.

Associating a JSON profile with a parameter

You need to have created a security policy with policy elements including parameters and a JSON profile before starting this procedure.
You can associate a JSON profile with a parameter.
  1. On the Main tab, click
    Security
    Application Security
    Parameters
    .
  2. In the
    Current edited security policy
     list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. In the Parameters List area, click the name of a parameter to which to assign a JSON profile.
    The Parameter Properties screen opens.
  4. For the
    Parameter Value Type
     setting, select
    JSON value
    .
    The system automatically creates a
    Default
     JSON profile, and assigns it as the profile when you select
    JSON value
     in this field.
  5. From the
    JSON Profile
     list, either leave the default, select a JSON profile appropriate for this parameter, or click
    Create
     to quickly create a new JSON profile for this parameter.
  6. Click
    Update
    .
    The system associates the JSON profile with the parameter.
  7. To put the security policy changes into effect immediately, click
    Apply Policy
    .
Continue to associate JSON profiles with any parameters in the application that might contain JSON data.

Implementation result

You have manually added JSON support to the active security policy. The policy can now secure applications that use JSON for data transfer between the client and the server. If web application traffic includes JSON data, the system checks that it meets the requirements that you specified in the JSON profile.

Using a Custom JSON Schema

Using a custom JSON schema

You can use your own JSON schema validation file(s) for your REST endpoints rather than policy parameter configurations. The REST endpoint is defined as <method, path>, e.g. PATCH /product/order. The custom JSON schema is validated when uploaded and any violations are noted. You can use more than one JSON schema file but each file must be uploaded separately, with the main schema file uploaded first, and the JSON Profile Properties updated after each upload.
  1. On the Main tab, click
    Security
    Application Security
    Content Profiles
    JSON Profiles
    .
  2. Select an existing profile or click
    Create
    .
  3. In the
    JSON Schema Files
     section, click
    Choose File
     and select your custom JSON schema file.
    When using more than 1 JSON schema file, upload the main schema file, i.e. with
    $ref
     links, first. An error is generated but uploading the subsequent files resolves the broken links error.
  4. Click
    Upload
    .
  5. Continue to choose and upload JSON schema files are needed.
  6. Click
    Create
     if this is a new profile or
    Update
     if editing an existing profile.
After a JSON schema is uploaded and selected, the Parse Parameters setting is disabled because the policy stops using any configured policy parameters and begins using the custom JSON parameters from the JSON schema file(s).
If you created a new JSON profile, you need to associate it with any parameters, HTTP URLs or WebSocket URLs that might include JSON data.

Assigning a JSON profile to an HTTP URL

A JSON schema can be assigned to an HTTP URL to provide JSON schema validation for a REST endpoint.
  1. On the Main tab, click
    Security
    Application Security
    URLs
    Allowed URLs
    Allowed HTTP URLs
    .
  2. In the
    Current edited policy
     list near the top of the screen, verify that the policy shown is the one you want to work on
  3. Select an existing Allowed HTTP URL or click
    New Allowed HTTP URL
    .
  4. Beside
    Create New Allowed URL
     select
    Advanced
    .
  5. Open the
    Header-Based Content Profile
     tab.
  6. Enter a
    Request Header Name
     and
    Request Header Value
    .
  7. For
    Request Body Handling
     select JSON.
  8. For
    Profile Name
     select the JSON profile and click
    Add
    .
    Continue to select and add JSON profiles as needed to the Allowed HTTP URL.
  9. Use the
    Up
     and
    Down
     buttons to change the order of the Request Header Names which is the order in which the system checks header content of requests for this URL.
  10. If you are configuring a new Allowed HTTP URL, continue to configure the URL properties as needed.
  11. Click
    Create
    .
The HTTP URL now includes JSON schema validation for REST endpoints.

Assigning a JSON profile to a WebSocket URL

A JSON schema can be assigned to a WebSocket URL to provide JSON schema validation for a REST endpoint.
  1. On the Main tab, click
    Security
    Application Security
    URLs
    Allowed URLs
    Allowed WebSocket URLs
    .
    The Allowed WebSocket URLs screen opens.
  2. In the
    Current edited policy
     list near the top of the screen, verify that the policy shown is the one you want to work on.
  3. Select an existing WebSocket URL or click
    Create
    .
  4. On the Message Handling tab, ensure that
    Check Message Payload
     is enabled.
  5. For
    Allowed Message Payload Formats
     select
    JSON
    .
  6. For
    Payload Enforcement
     select the JSON Profile to use.
  7. If you are configuring a new WebSocket URL, continue to configure the URL properties as needed.
  8. Click
    Create
    .
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information