Manual Chapter : Securing Web Applications Created with Google Web Toolkit

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Securing Web Applications Created with Google Web Toolkit

Overview: Securing Java web applications created with Google Web Toolkit elements

Google Web Toolkit (GWT) is a Java framework that is used to create AJAX applications. When you add GWT enforcement to a security policy, the Security Enforcer can detect malformed GWT data, request payloads and parameter values that exceed length limits, attack signatures, and illegal meta characters in parameter values. This implementation describes how to add GWT support to an existing security policy for a Java web application created with GWT elements.

Task summary

Creating a Google Web Toolkit profile

Before you can begin this task, you need to create a security policy for the web application that you are creating using Google Web Toolkit (GWT).
A GWT profile defines what the security policy enforces and considers legal when it detects traffic that contains GWT data.
Note: The system supports GWT in UTF-8 and UTF-16 encoding.
  1. On the Main tab, click Security > Application Security > Content Profiles > GWT Profiles .
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create.
    The Create New GWT Profile screen opens.
  4. Type a name and optional description for the profile.
  5. For the Maximum Total Length of GWT Data setting, specify the maximum byte length for the request payload or parameter value that contains GWT data.
    The default is 10000 bytes.
    Option Description
    Any Specifies that there are no length restrictions.
    Length Specifies, in bytes, the maximum data length that is acceptable.
  6. For the Maximum Value Length setting, specify the longest acceptable value for a GWT element that occurs in a document that the security policy allows.
    The default is 100 bytes.
    Option Description
    Any Specifies that there are no length restrictions.
    Length Specifies, in bytes, the maximum acceptable length.
  7. Clear the Tolerate GWT Parsing Warnings check box if you want the system to report warnings about parsing errors in GWT content.
  8. To change the security policy settings for specific attack signatures for this GWT profile, from the Global Security Policy Settings list, select the attack signatures and then move them into the Overridden Security Policy Settings list.
    Note: If no attack signatures are listed in the Global Security Policy Settings list, create the profile, update the attack signatures, then edit the profile.
  9. In the Overridden Security Policy Settings list, enable or disable each attack signature as needed:
    Option Description
    Enabled Enforces the attack signature for this GWT profile, although the signature might be disabled in general. The system reports the Attack Signature Detected violation when the GWT data in a request matches the attack signature.
    Disabled Deactivates the attack signature for this GWT profile, although the signature might be enabled in general.
  10. To allow or disallow specific meta characters in GWT data (and thus override the global meta character settings), click the Value Meta Characters tab.
    1. Select the Check characters check box, if it is not already selected.
    2. Move any meta characters that you want allow or disallow from the Global Security Policy Settings list into the Overridden Security Policy Settings list.
    3. In the Overridden Security Policy Settings list, change the meta character state to Allow or Disallow.
  11. Click Create.
    The system creates the profile and displays it in the GWT Profiles list.
The security policy does not enforce the GWT profile settings until you associate the GWT profile with any URLs that might include GWT data.

Associating a Google Web Toolkit profile with a URL

Before you can associate a Google Web Toolkit (GWT) profile with a URL, you need to create a security policy with policy elements, including application URLs and the GWT profile.
When you associate a GWT profile with a URL in a security policy, the Security Enforcer can apply specific GWT checks to the associated requests.
  1. On the Main tab, click Security > Application Security > URLs .
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Allowed URLs List area, click the name of a URL that might contain GWT data.
    The Allowed URL Properties screen opens.
  4. From the Allowed URL Properties list, select Advanced.
  5. For the Header-Based Content Profiles setting, specify the characteristics of the traffic to which the GWT profile applies.
    1. In the Request Header Name field, type the explicit string or header name that defines when the request is treated as the Parsed As type; for example, Content-Type.
      This field is not case-sensitive.
    2. In the Request Header Value field, type a wildcard character (including *, ?, or [chars]) for the header value; for example, *gwt*.
      This field is case-sensitive.
    3. For the Parsed As setting, select GWT.
    4. For the Profile Name setting, select the GWT profile that you created from the list.
    5. Click Add.
      The system adds the header and profile information to the list.
  6. Optional: If you have multiple headers and profiles defined, you can adjust the order of processing.
  7. Click Update.
  8. To put the security policy changes into effect immediately, click Apply Policy.
When the system receives traffic that contains the specified URLs, the Security Enforcer applies the checks you established in the GWT profile, and takes action according to the corresponding blocking policy.

Implementation result

You have now added Google Web Toolkit (GWT) support to a security policy. When the Security Enforcer detects GWT traffic that matches the URLs defined in the security policy, the selected parameters are enforced as you have indicated.