Applies To:Show Versions
- 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Application security for applications that use AJAX
Application Security Manager can protect AJAX applications including those that use JSON or XML for data transfer between the client and the server. If the AJAX application uses XML for data transfer, the security policy requires that an XML profile be associated with a URL or parameter. If the AJAX application uses JSON for data transfer, the security policy requires that a JSON profile be associated with a URL or parameter. If the AJAX application uses HTTP for data transfer, no profile is needed.
You can also set up AJAX blocking response behavior for applications so that if a violation occurs during AJAX-generated traffic, the system displays a message or redirects the application user to another location.
Overview: Creating a security policy for applications that use AJAX
Creating a security policy automatically
- On the Main tab, click The Active Policies screen opens. .
- Click the Create button. The Deployment wizard opens to the Select Local Traffic Deployment Scenario screen.
For the Local Traffic Deployment Scenario setting,
specify a virtual server to use for the security policy.
- To secure an existing virtual server that has no security policy associated with it, select Existing Virtual Server and click Next.
- To create a new virtual server and pool with basic configuration settings, select New Virtual Server and click Next.
- To create an active but unused security policy, select Do not associate with Virtual Server and click Next. No traffic will go through this security policy until you associate it with a virtual server. The Policy Builder cannot begin automatically creating a policy until traffic is going to ASM through the virtual server.
Configure the new or existing virtual server, and click
- If creating a new virtual server, specify the protocol, name, IP address and port, pool IP address, and port.
- If using an existing virtual server, it must have an HTTP profile and cannot be associated with a local traffic policy.
- If you selected Do not associate with Virtual Server, you will have to manually associate the security policy with a virtual server at a later time. On the policy properties screen, you need to specify a name for the security policy.
- For Deployment Scenario, select Create a policy automatically and click Next. The Configure Security Policy Properties screen opens.
From the Application Language list, select the language
encoding of the application, or select Auto detect and
let the system detect the language.
Important: You cannot change this setting after you have created the security policy.
If the application is not case-sensitive, clear the Security Policy
is case sensitive check box. Otherwise, leave it selected.
Important: You cannot change this setting after you have created the security policy.
- If you do not want the security policy to distinguish between HTTP and HTTPS URLs, clear the Differentiate between HTTP and HTTPS URLs check box. Otherwise, leave it selected.
- Click Next. The Configure Attack Signatures screen opens.
- To configure attack signatures, move the systems used by your web application from the Available Systems list into the Assigned Systems list. The system adds the attack signatures needed to protect the selected systems.
For the Signature Staging setting, verify that the
default option Enabled is selected.
Note: Because the Real Traffic Policy Builder begins building the security policy in Blocking mode, you can keep signature staging enabled to make sure that false positives do not occur.New and updated attack signatures remain in staging for 7 days, and are not enforced (according to the learn, alarm, and block flags) during that time.
- Click Next. The Configure Automatic Policy Building screen opens.
For Policy Type, select an option to determine the
security features to include in the policy.
Option Description Fundamental Creates a security policy enforcing HTTP protocol compliance, evasion techniques, explicit file types (including length checks), explicit parameters in selective mode at the global level, attack signatures, the violation Request Length Exceeds Defined Buffer Size, host names, header lengths, cookie lengths, the violation Failed to Convert Character, and learn explicit redirection domains. Enhanced Creates a security policy with all the elements of the Fundamental policy type; also checks for explicit URLs in selective mode plus meta characters, Explicit parameter length checks in selective mode at the global level, methods, explicit cookies, and content profiles. Comprehensive Creates a security policy with all the elements of the Enhanced policy type; also checks for explicit URLs and meta characters, explicit parameters and lengths at the URL level, parameter meta characters, and dynamic parameters.
For Rules, move the slider to set the Policy Builder
Option Description Fast Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. However, choosing this option may present a greater chance of adding false entities to the security policy. Medium Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting. Slow Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. This option creates the most accurate security policy, but takes Policy Builder longer to collect the statistics.
For Trusted IP Addresses, select which IP addresses to
Option Description All Specifies that the policy trusts all IP addresses. For example, if the traffic is in a corporate lab or preproduction environment where all of the traffic is trusted, the policy is created faster when you select this option. Address List Specifies networks to consider safe. Fill in the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.
- If you want the security policy to automatically detect JSON and XML protocols, select the JSON/XML payload detection check box. If requests contain legitimate XML or JSON data, the Policy Builder creates content profiles in the security policy according to the data it detects.
- If you want to display a response page when an AJAX request does not adhere to the security policy, select the AJAX blocking response behavior check box.
- Click Next. The Security Policy Configuration Summary opens where you can review the settings to be sure they are correct.
- Click Finish to create the security policy. The Automatic Policy Building Status screen opens where you can view the current state of the security policy.
Reviewing security policy status
- On the Main tab, click The Status (Automatic) screen opens where you can see the automatic policy building status, file types, URLs, parameters, and cookies that were added to the security policy. .
- In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
- Review any messages in the identification and messages area to learn what is currently happening on the system. For example, messages say when the Policy Builder is enabled, when the security policy was last updated, and the number of elements that were learned.
Review the status of the Real Traffic Policy Builder.
Option Description Enabled The system is configured to automatically build a security policy, and the Policy Builder is processing traffic. Disabled The system is not processing traffic. Check the automatic policy building configuration. If you did not associate a virtual server, you need to do that to process traffic. Detecting Language The system is still configuring the language after analyzing responses to identify the language of the web application. The Policy Builder is enabled, but it cannot add elements to the security policy until the language is set.
- Examine the General Progress of the security policy. A progress bar indicates the stability level of the security policy. The progress bar reaches 100% when the policy is stable, no new policy elements need to be added, and time and traffic thresholds have been reached.
In the Policy Elements Learned table, review the number of elements that the
Policy Builder has analyzed and added to the security policy, and the attributes
that need to be updated.
Tip: Click the number in the Elements column to see the specific elements that were added.
- Optionally, in the Details tree view, click the expand button for any item to learn more about that security policy element, what the system has seen so far, and what it will take to stabilize the element.
The Real Traffic Policy Builder creates a security policy that can protect applications that use AJAX with JSON or XML for data transfer between the client and the server. The system examines the traffic and creates an appropriate profile. If the application uses XML, the security policy includes one or more XML profiles associated with URLs or parameters. If the application uses JSON, the security policy includes one or more JSON profiles associated with URLs or parameters.