Applies To:
Show VersionsBIG-IP ASM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Adding Entities to a Security Policy
Adding File Types to a Security Policy
About adding file types
In a security policy, you can manually specify the file types that are allowed (or disallowed) in traffic to the web application being protected. This is only if you are not using the recommended automatic policy building. When you are using automatic policy building, Application Security Manager™ determines which file types to add, based on legitimate traffic.
When you create a security policy, a wildcard file type of *, representing all file types, is added to the file type list. During the enforcement readiness period, the system examines the file types in the traffic and makes learning suggestions that you can review and add the file types to the policy as needed. This way, the security policy includes the file types that are typically used. When you think all the file types are included in the security policy, you can remove the * wildcard from the allowed file types list.
Adding allowed file types
Wildcard syntax
The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |
Adding disallowed file types
Adding Parameters to a Security Policy
About adding parameters to a security policy
Parameters are an integral part of any web application, and they need to be protected so clients cannot access them, modify them, or view sensitive data. When you define parameters in a security policy, you increase the security of the web application and prevent web parameter tampering.
Application Security Manager™ evaluates parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. When the security policy includes known parameters, you are creating a whitelist of acceptable parameters. The system allows traffic that includes the parameters that you configure in a security policy.
Security policies can include parameters defined as global parameters, URL parameters, and flow parameters. You can further specify parameters as being particular value types: static content, dynamic content, dynamic parameter name, user-input, JSON, or XML. You can also create parameters for which the system does not check or verify the value.
Creating global parameters
- The web application has a parameter that appears in several URLs or flows.
- You want the Application Security Manager™ to enforce the same parameter attributes on all parameters.
Creating URL parameters
Creating flow parameters
Creating sensitive parameters
Disallowing file uploads in parameters
If a parameter in a request exceeds the maximum length specified, the system presents an Illegal parameter value length violation. By default it is set to alarm; that means if a request triggers this violation, the system records the request in the Charts screen, the Syslog (/var/log/asm), and may record the request in the local log (the Requests screen) and/or in a remote log, according to the logging profile.
Creating navigation parameters
Creating parameters with dynamic content
You can also use DCV parameters for user identities in web applications that use sessions. As an example, user identity is often passed between pages as a hidden parameter, which could be exploited by malicious users, unless protected.
By default, the system saves up to 950 values that it finds for a dynamic content value parameter. If the number of values exceeds 950, the system replaces the first-extracted values with the new values.
Creating parameters with dynamic names
Changing character sets for parameter values
- On the Main tab, click .
- In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
- Use the View option to filter the character set.
-
For each character or meta character, change the state, as required.
State Description Allow The security policy permits this character or meta character in parameter values. Disallow The security policy does not permit this character or meta character in parameter values. - Click Save to save the changes.
- To put the security policy changes into effect immediately, click Apply Policy.
Changing character sets for parameter names
- On the Main tab, click .
- In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
- Use the View option to filter the character set.
-
For each character or meta character, change the state, as required.
State Description Allow The security policy permits this character or meta character in parameter names. Disallow The security policy does not permit this character or meta character in parameter names. - Click Save to save the changes.
- To put the security policy changes into effect immediately, click Apply Policy.
Adjusting the parameter level
You can adjust how the system determines what parameters it adds (automatic policy building) or suggests you add (manual learning) to the security policy. In most cases, you do not need to change the default values of these settings.
The security policy now adds parameters according to the level you specified.
Parameter Value Types
When you add a parameter to the security policy, you specify its parameter value type. The parameter value type indicates the format of the parameter. You can configure global, URL, and flow parameters as any value type, except the dynamic parameter name type. You can configure only flow parameters as dynamic parameter names.
Parameter Value Type | Description |
---|---|
Dynamic content value | Dynamic parameters are parameters whose values can change, and are often linked to a user session. When you create a new parameter of this type, you must also define dynamic parameter extraction properties. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions. |
Dynamic parameter name | If using flow parameters with names that change dynamically, you can use this parameter type. If you select this type, you also need to specify the URL from which the system can extract dynamic parameter name parameters. |
Ignore value | If you do not want the system to perform validity checks on the parameter value, select this value type. Regarding signatures, this value type prevents the system from performing parameter-based signature checks on the parameter value, but it does perform other relevant signature checks. |
JSON value | The JSON value type is for parameters that contain JSON data that is validated according to a JSON profile that defines the format of the data. Select an existing JSON profile or create a new one. |
Static content value | Static parameters are those that have a known set of values. A list of country names or a yes/no form field are both examples of static parameters. If you select this type, you also need to specify the static values for the parameter in the Parameter Static Values list. For example, a credit card payment parameter in a shopping application may be static and have the static values MasterCard®, Visa®, and American Express®. |
User-input value | User-input parameters are those that require users to enter or provide some sort of data. This is the most commonly used parameter value type. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range of values or many static values, you may want to configure the parameter as a user-input parameter instead of as a static content parameter. By default, the system looks for attack patterns within all alpha-numeric user-input parameters. For each parameter, you can enable or disable a specific attack signature. |
XML value | XML parameters are those whose parameter value contains XML data that is validated according to an XML profile that defines the format of the data. Select an existing XML profile or create a new one. |
How the system processes parameters
When you create any type of parameter, the system automatically places the parameter in staging and does not block requests even if a violation occurs and the system is configured to block that violation. Based on examining traffic, the system makes learning suggestions that you can accept or clear. If you create wildcard parameters, you also have the option of enabling learning for explicit entities.
- Flow parameters
- URL parameters
- Global parameters
About path parameters
Path parameters are parameters that are attached to path segments in the URI. You can configure Application Security Manager™ (ASM) to enforce path parameters as needed in your organization. Path parameters can be ignored, or treated as parameters, or as an integral part of URLs.
Although path parameters are not widely used, they could serve as covert back doors to potential attacks even for server applications that do not use path parameters. For example, an application could copy a URI with path parameters containing attack signatures to the body of the response.
Path parameters can have multiple parameters in the same path segment separated by semicolons. A semicolon also separates the path segment from the parameters; for example, /path/name;param1;p2;p3. Each parameter can optionally equal a value; for example, param=value;p2. If a path parameter has more than one value, the values are separated by commas, such as param=val1,val2,val3.
Path parameters are extracted from requests, but not from responses.
Enforcing path parameter security
Overview: Securing Base64-Encoded Parameters
Base64 encoding is a convenient encoding method that uses a compact presentation, and is relatively unreadable to the casual observer. Many applications apply base64 encoding to binary data, for inclusion in URLs or in hidden web form fields. Unfortunately, it is also possible to mask application attacks in base64-encoded data. To provide better security for applications that use base64 encoding, Application Security Manager™ can decode user-input parameter values that are base64-encoded.
Adding base64 decoding to a new user-input parameter
Adding base64 decoding to an existing user-input parameter
Adding URLs to a Security Policy
About adding URLs
In a security policy, you can manually specify the HTTP or WebSocket URLs that are allowed (or disallowed) in traffic to the web application being protected. If you are using automatic policy building (and the policy includes learning URLs), Application Security Manager™ (ASM) can determine which URLs to add, based on legitimate traffic. If a WebSocket profile is associated with the security policy virtual server, ASM can also add WebSocket URLs to the policy.
When you create a security policy, wildcard URLs of * (representing all HTTP or WebSocket URLs) are added to the Allowed HTTP and WebSocket URLs lists. During the enforcement readiness period, the system examines the URLs in the traffic and makes learning suggestions that you can review and add the URLs to the policy as needed. This way, the security policy includes the HTTP and WebSocket URLs that are typically used. When you think all the URLs are included in the security policy, you can remove the * wildcards from the allowed URLs lists.
About referrer URLs
Referrer URLs are web pages that request other URLs within a web application. For example, an HTML page can request a GIF, JPG, or PNG image file. The HTML page is the referrer, and the GIF, JPG, and PNG files are non-referrers. In lists of URLs, non-referrer URLs appear in blue and referrer URLs appear in gold.
A referrer in Application Security Manager™ is similar to the HTTP Referer header. Use referrers for complex objects, such as HTML pages, but not for embedded objects, such as GIF files.
Adding allowed HTTP URLs
Wildcard syntax
The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |
Allowed HTTP URL properties
These tables describe the properties (both Basic and Advanced settings) that define HTTP URLs that the security policy will allow.
New allowed HTTP URL properties
Property | Description |
---|---|
URL | Specifies an HTTP URL that the security policy allows. The available types are:
|
Protocol | Specifies whether the protocol for the URL is HTTP or HTTPS. |
Perform Staging | Specifies that the system places this URL in staging. Learning suggestions produced by requesting staged URLs are logged in the Learning screens. Review staging status on the Allowed HTTP URLs screen. If a URL is in staging, point to the icon to display staging information. When you are no longer getting learning suggestions, you can disable this setting. If you enforce a URL, this setting is cleared. |
Check Flows to this URL | Specifies that the security policy validates flows to the URL (if configured). If this setting is disabled, the system ignores the flows to the URL. When you select this check box, additional settings appear. |
URL is Entry Point | (Visible when Check Flows to this URL is selected.) Specifies that this URL is a page through which a visitor can enter the web application. |
URL is Referrer | (Visible when Check Flows to this URL is selected.) Specifies that the URL is a URL from which a user can access other URLs in the web application. |
URL can change Domain Cookie | Specifies that the security policy does not block an HTTP request where the domain cookie was modified on the client side. Note that this setting is applicable only if the URL is a referrer. |
URL with Navigation Parameter | Specifies that you want to associate a navigation parameter with this URL. You must have a navigation parameter defined in the security policy to view this option. |
Select Navigation Parameter | Specifies a list of navigation parameters that you can associate with this URL. |
Navigation Parameter Value | Indicates the value of the navigation parameter. |
Clickjacking Protection | Specifies that the system adds the X-Frame-Options header to the domain cookie’s response header. This is done to protect the web application against clickjacking. Clickjacking occurs when attacker lures a user to click illegitimate frames and iframes because the attacker hid them on legitimate visible website buttons. Therefore, enabling this option protects the web application from other web sites hiding malicious code behind them. The default is disabled. After you enable this option, you can select whether, and under what conditions, the browser should allow this URL to be rendered in a frame or iframe. |
Allow Rendering in Frames | Specifies the conditions for when the browser should allow this URL to be
rendered in a frame or iframe.
|
Wildcard Match Includes Slashes | Specifies that an asterisk in a wildcard URL matches any number of path segments (separated by slashes); when cleared, specifies that an asterisk matches at most one segment. For example: the wildcard /art/* matches /art/abc/index.html if the wildcard match includes slashes (default value), but does not match it if the check box is cleared. In that case, it matches /art/go.html (only one segment below /art). |
HTML5 Cross-Domain Request Enforcement | CORS (Cross-Origin Resource Sharing) lets one website access the resources of another website using JavaScript (within the browser). Web applications may share resources with other websites hosted on a different domain. When the option is selected, the system protects a specific URL in your web application from cross-origin resource sharing. You can configure which domains can access the response generated by requesting this URL (the resource), and how to overwrite CORS response headers returned by the web server. |
URL Description | Describes the URL (optional). |
Header-Based Content Profiles
Property | Description |
---|---|
Request Header Name | Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive. |
Request Header Value | Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, *json*, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive. |
Request Body Handling | Indicates how the system parses the content of requests for the allowed URL:
|
Profile Name | Specifies the XML, JSON, or GWT profile the security policy uses when examining requests for this URL if the header content is parsed as XML, JSON, or GWT. You can also create or view the XML, JSON, or GWT profile from this option. |
HTML5 Cross-Domain Request Enforcement
Property | Description |
---|---|
Allow HTML5 Cross-Origin Requests | Allows all CORS requests to this URL, and displays additional settings. |
Allowed Origins | Allows you to specify a list of origins allowed to share data returned by this URL. |
Allowed Methods | Allows you to specify a list of methods that other web applications hosted in different domains can use when requesting this URL. |
Allowed Headers | Allows you to specify a list of request headers that other web applications hosted in different domains can use when requesting this URL. Or you can delete non-simple headers returned in response to requests. |
Exposed Headers | Allows you to specify a list of response headers that are safe to expose to JavaScript, and can be shared with web applications hosted in different domains. Or you can allow only simple headers to be exposed. |
Allow Credentials | Specifies whether requests from other web applications hosted in different domains may include user credentials. |
Maximum Age | Specifies how long (in seconds) to cache in the browser the results of a preflight request (a special request that the browser sends to your web application to determine if JavaScript from another domain may access your resource). |
Meta Characters
Property | Description |
---|---|
Check characters on this URL | Specifies that the system verifies meta characters on this wildcard URL. You can change which meta characters are allowed or disallowed. |
Methods Enforcement
Property | Description |
---|---|
Override policy allowed methods | Specifies that the system allows you to override allowed methods for this URL. When selected, global policy settings for methods are listed, and you can change what is allowed or disallowed for this URL. |
Learning Settings for HTTP URLs
These settings are on the Learning and Blocking Settings screen.
Setting | Description |
---|---|
Learn New HTTP URLs | Specifies how to add, or suggests that you add URLs to the security policy if
you are creating a wildcard URL.
|
Maximum Learned HTTP URLs | Limits the number of URLs that the security policy allows. The default is 10000. |
Learn Allowed Methods on URLs | If selected, when the system learns a new URL with a method, it selects the override methods enforcement setting. If using automatic learning, suggestions are made for the new URL only. For manual learning, suggestions are made to add the method to the URL and to the policy as well. |
Classify Request Content of Learned HTTP URLs | If the system detects legitimate XML or JSON data for URLs in the security policy, the system adds or suggests you add XML or JSON profiles to the security policy and configures their attributes according to the data it detects. |
Collapse many common URLs into one wildcard URL | Collapses many common explicit URLs into one wildcard URL with a common prefix and suffix. The system collapses URLs only in the same directory (with the same prefix path) and the same file extension. The system creates a wildcard with no slash. |
File types for which wildcard URLs will be configured (e.g. *.jpg) | Specifies the file types for which to create a wildcard URL instead of adding explicit URLs. The system includes several by default. |
Adding disallowed HTTP URLs
Creating allowed WebSocket URLs
Adding disallowed WebSocket URLs
Enforcing requests for HTTP URLs based on header content
You can use header-based content profiles to configure how the system recognizes and enforces requests for this URL according to the header content in the request. You can also use header-based content profiles to block traffic based on the type of header and header value in requests for a URL.
Specifying characters legal in URLs
Overriding methods on URLs
If you are using automatic learning, on the Learning and Blocking Settings screen, under URLs, you can select Learn Methods on URLs; the system automatically learns overridden methods at the URL level. In that case, you do not need to perform this task.
Configuring flows to URLs
Creating flow parameters
Configuring dynamic flows to URLs
Configuring dynamic session IDs in URLs
Normally, if the system receives a request in which the dynamic session information does not match the settings in the security policy, the system issues the Illegal session ID in URL violation. When you allow dynamic session IDs in URLs, ASM extracts the dynamic session information from requests or responses, based on the pattern that you configure. For requests, the system applies the pattern to the URI up to, but not including, the question mark (?) character in a query string.
Adding Cookies
About cookies
Many web-based applications use cookies to help users navigate the web site efficiently and perform certain functions. For example, web servers may use cookies to authenticate users logging in to secure applications, or an application can use cookies to store user preferences. Whether using automatic policy building or manually creating a security policy, you may want to add cookies that the web application uses.
You may want a security policy to ignore certain known and recognized cookie headers that are included in HTTP requests. For example, if cookies can change on the client side legitimately, you can create allowed cookies.
You may also want a security policy to prevent changes to specific cookies, such as session-related cookies that are set by the application. If so, you can create enforced cookies. The cookie in the request must not be modified, or it generates the Modified Domain Cookie violation.
In addition, some PHP applications treat cookies as parameters and use the value of the cookie as input to the application. For that reason, you can have the system check attack signatures on the cookie (as you can for parameters). You can apply attack signatures only to allowed cookies, because enforced cookies are set by the server, and therefore, are considered to be secure.
Both allowed and enforced cookies can be put in staging when they are created so that you can make sure that they do not cause false positives during the staging period.
If you are using automatic policy building, the security policy adds cookies automatically. If manually building a security policy, the manual traffic learning screens suggest cookies to add.
About pure wildcard cookies
When you create a security policy, it includes a pure wildcard (*) and it is created as an allowed cookie in the Allowed Cookies list. You cannot delete the pure wildcard from the security policy but you can change its type from allowed to enforced. The allowed cookie wildcard allows all cookies, and you can specify which cookies the users cannot change in the enforced cookies list .This is considered a negative security model, because you allow all cookies except the ones you specify.
However, new cookies are added to the security policy (or not) based on the Learn Explicit Entities value of the matched wildcard. The value can be Never (do not add cookies) or Selective (add cookies that match the wildcard). The default value differs depending on the deployment scenario you use to create the policy.
The following deployments create pure wildcard cookies using the value Never, thus they do not add (or suggest to add) explicit cookies to the security policy:
- All templates (including Rapid Deployment policy)
- Automatic policy building with Fundamental policy type
- Vulnerability assessment
All other deployment scenarios create the pure wildcard cookie with Learn Explicit Entities set to Selective. So it adds (if building the policy automatically) or suggests to add (if building the policy manually) explicit cookies encountered in the traffic to the security policy.
In Selective mode, the system learns cookies that violate the settings of the wildcard. In particular, cookies that do not change are learned as enforced cookies. Most cookies are added to the security policy as allowed cookies, and are checked for the configured signature set. These are captured by the * pure wildcard. The exceptions are the enforced cookies and cookies that need to be exempted from some of the signature checks. These are whitelisted.
Wildcard syntax
The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |
About cookies and learning
When you create a security policy that includes cookies, the system adds new cookies (or suggests that you add them) to the security policy (or not) based on the Learn Explicit Entities value of the matched wildcard. The value can be Never (do not add cookies) or Selective (add cookies that match the wildcard). The default value differs depending on the deployment scenario you use to create the policy.
The following deployments create pure wildcard cookies using the value Never, thus they do not add (or suggest to add) explicit cookies to the security policy by default:
- Rapid Deployment policy
- Automatic policy building with Fundamental policy type
- Vulnerability assessment
All other deployment scenarios create the pure wildcard cookie with Learn Explicit Entities set to Selective. So the system adds (if building the policy automatically) or suggests to add (if building the policy manually) explicit cookies encountered in the traffic to the security policy.
You could start by having the wildcard set to selective in the allowed cookies, get a list of all the cookies that your web application uses, then move them to the enforced list. This would make it easier to add the cookies that your web application uses and that you want to enforce to the security policy.
About adding cookies
Application Security Manager™ (ASM) allows you to add cookies with different characteristics to security policies.
You can specify the cookies that you want to allow, and the ones you want to enforce in a security policy:
- Allowed cookies: The system allows these cookies and clients can change them.
- Enforced cookies: The system enforces the cookies in the list (not allowing clients to change them) and allows clients to change all others.
If the cookies in the web application change, you can edit or delete the cookies.
Adding allowed cookies
Adding enforced cookies
Changing the order in which wildcard cookies are enforced
Editing cookies
Deleting cookies
Specifying when to add explicit cookies
Configuring the maximum cookie header length
The system calculates and enforces the cookie header length based on the sum of the length of the cookie header name and value. Requests with headers that are longer than the maximum length cause an Illegal header length violation.
Overview: Configuring advanced cookie protection
Many of the Application Security Manager™ (ASM) security features store ASM™ cookies on clients as part of the traffic security enforcement. Examples of security features that use cookies for validation are cookie enforcement, parameter enforcement, CSRF protection, login enforcement, session tracking, and anomaly detection. Cookie enforcement is also called domain cookies; cookies for the other features are called other ASM cookies.
The system applies a random security key unique to each deployment and uses it in conjunction with an encryption algorithm. The combination of the randomly generated key and the selected algorithms is called the security context. Normally, you do not have to change the cookie protection settings. However, in cases where you suspect a security breach has occurred, or if you want a different balance between speed and security, you can reconfigure cookie protection.
By default, when you initially start the system, it automatically generates a security key and sets the cookie security level to secure. You can change the encryption schema to provide faster cookie protection by reconfiguring cookie protection.
If you want to use the same security context on other systems, you can set up advanced cookie configuration settings on one BIG-IP® system and export them. You can then import the settings on the other systems. You can configure all your systems to use the same cookie protection, or apply different settings to the systems. However, if you have multiple ASM-enabled devices that share traffic (and are not synchronized using device groups), it is recommended that those systems should all use the same cookie protection settings.
If synchronizing multiple ASM systems using device groups, you can configure the settings you want to use for all systems on one and then synchronize the systems.