Applies To:Show Versions
- 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Creating Security Policies for AJAX Applications
Application security for applications that use AJAX
Application Security Manager™ can protect AJAX applications including those that use JSON or XML for data transfer between the client and the server. If the AJAX application uses XML for data transfer, the security policy requires that an XML profile be associated with a URL or parameter. If the AJAX application uses JSON for data transfer, the security policy requires that a JSON profile be associated with a URL or parameter. If the AJAX application uses HTTP for data transfer, no profile is needed.
Some web applications use AJAX authentications that submit the login form as an AJAX POST request, with the login details and response in JSON format. If so, you can create a login page with an authentication type of JSON/AJAX Request to protect against brute force attacks. You can use this login URL when configuring session awareness or login enforcement.
You can also set up AJAX blocking response behavior for applications so that if a violation occurs during AJAX-generated traffic, the system displays a message or redirects the application user to another location.
Overview: Creating a security policy for applications that use AJAX
Creating a security policy automatically
On the Main tab, click
.The Active Policies screen opens.
Click the Create button.
The Deployment wizard opens to the Select Local Traffic Deployment Scenario screen.
For the Local Traffic Deployment Scenario setting,
specify a virtual server to use for the security policy.
The virtual server represents the web application you want to protect.The Configure Local Traffic Settings screen opens if you are adding a virtual server. Otherwise, the Select Deployment Scenario screen opens.
- To secure an existing virtual server that has no security policy associated with it, select Existing Virtual Server and click Next.
- To create a new virtual server and pool with basic configuration settings, select New Virtual Server and click Next.
- To create an active but unused security policy, select Do not associate with Virtual Server and click Next. No traffic will go through this security policy until you associate it with a virtual server. The Policy Builder cannot begin automatically creating a policy until traffic is going to ASM through the virtual server.
If you are adding a virtual server, configure the new or existing virtual
server, and click Next.
The Select Deployment Scenario screen opens.
- If creating a new virtual server, specify the protocol, virtual server name, virtual server destination address and port, pool member IP address and port, and the logging profile.
- If using an existing virtual server, it must have an HTTP profile and cannot be associated with a local traffic policy. Specify the protocol and virtual server.
- If you selected Do not associate with Virtual Server, you will have to manually associate the security policy with a virtual server at a later time. On the policy properties screen, you need to specify a name for the security policy.
For Deployment Scenario, select Create a
security policy automatically and click
The Configure Security Policy Properties screen opens.
- In the Security Policy Name field, type a name for the policy.
From the Application Language list, select the language
encoding of the application, or use Auto detect and let
the system detect the language.
Important: You cannot change this setting after you have created the security policy.
If the application is not case-sensitive, clear the Security Policy
is case sensitive check box. Otherwise, leave it selected.
Important: You cannot change this setting after you have created the security policy.
- If you do not want the security policy to distinguish between HTTP/WebSocket and HTTPS/WebSocket Secure URLs, clear the Differentiate between HTTP/WS and HTTPS/WSS URLs check box. Otherwise, leave it selected.
The Configure Attack Signatures screen opens.
To configure attack signatures, move the systems used by your web application
from the Available Systems list into the
Assigned Systems list.
The system adds the attack signatures needed to protect the selected systems.
For the Signature Staging setting, verify that the
default option Enabled is selected.
Note: Because ASM begins building the security policy in Blocking mode, you can keep signature staging enabled so you can check whether legitimate traffic is being stopped to reduce the chance of false positives.New and updated attack signatures remain in staging for 7 days, and are recorded but not enforced (according to the learn, alarm, and block flags in the attack signatures configuration) during that time.
The Configure Automatic Policy Building screen opens.
For Policy Type, select an option to determine the
security features to include in the policy.
Bulleted lists on the screen describe the exact security features that are included in each type.
Option Description Fundamental Creates a robust security policy that is appropriate for most applications. Enhanced Creates a more specific security policy with additional customization such as learning URLs, cookies, and content profiles; includes tracking of user login sessions and brute force protection. Comprehensive
Creates the most secure policy providing the greatest amount of customization, including all the Enhanced features and more traffic classification at the parameter and URL levels, dynamic parameters, and CSRF URLs.
For the Policy Builder Learning Speed setting, select
how fast to generate suggestions for the policy.
Option Description Fast Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy. Medium Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting. Slow Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds suggestions to the security policy and if you are using automatic learning, enforces the elements.
For Trusted IP Addresses, select which IP addresses to
Option Description All Specifies that the policy trusts all IP addresses. This option is recommended for traffic in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster when you select this option. Address List Specifies networks to consider safe. Fill in the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.If you leave the trusted IP address list empty, the system treats all traffic as untrusted. In general, it takes more untrusted traffic, from different IP addresses, over a longer period of time to build a security policy.
- If you want to display a response page when an AJAX request does not adhere to the security policy, select the AJAX blocking response behavior check box.
The Security Policy Configuration Summary opens where you can review the settings to be sure they are correct.
Click Finish to create the security policy.
The Policy Properties screen opens.
The Real Traffic Policy Builder® creates a security policy that can protect applications that use AJAX with JSON or XML for data transfer between the client and the server. The system examines the traffic and creates an appropriate profile. If the application uses XML, the security policy includes one or more XML profiles associated with URLs or parameters. If the application uses JSON, the security policy includes one or more JSON profiles associated with URLs or parameters.
Overview: Adding AJAX blocking and login response behavior
- Microsoft® ASP.NET
By default, if you enable AJAX blocking behavior, when an AJAX request results in a violation that is set to Block, Application Security Manager performs the default AJAX response page action. The system presents a login response if the application user sends an AJAX request that attempts to directly access a URL that should only be accessed after logging in.
Configuring the blocking response for AJAX applications
- On the Main tab, click .
- In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
- Click the AJAX Response Page tab.
injection)? check box.
The system displays the default blocking response and login response actions for AJAX.
For the Default Response Page action setting, select the
type of response you want the application user to receive when they are blocked
from the application:
- Custom Response lets you specify HTML text or upload a file to use as a replacement for the frame or browser page that generated the AJAX request. Include the text, then click Show to preview the response.
- Popup message displays text in a popup window (default text is included).
- Redirect URL redirects the user to the URL you specify. You can also include the support ID. For example: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>.
- For the Login Page Response action, select the type of response (types are the same as for default response page in Step 5).
- Click Save.
- To put the security policy changes into effect immediately, click Apply Policy.