Blogs

Be the first person to like this.
APIsec Endpoint will only be available under the policy section if Automatic Integration is enabled before the endpoint is discovered and baselined. If Automatic Integration is enabled after endpoint is discovered and baselined, then endpoint will not be visible under the policy section and therefore the endpoint will not be protected by APIsec security policy. How to make APIsec endpoint appear in APIsec policy section. Disable the Automatic Integration and Save the configuration. Then enable the Automatic Integration and Save the configuration. After above steps, you should see the endpoint under APIsec policy and therefore it is ...
0 comments
Be the first person to like this.
APIsec Endpoints will get only discovered when all the below conditions are met In the API response, http status code should be between 2xx and 3xx If the Response body or Content-length of API response is <10000 bytes. Currently this is hard coded limit and cant be changed If Content-type indicates that response is an API response. Content-type for valid API response would be application/json, application/xml When all the above 3 conditions are matched, only then the API endpoints will be discovered. If API call satisfy all the above 3 criteria and still API call is not getting discovered, Kindly open a support case with Imperva Support ...
0 comments
Be the first person to like this.
Today, I’d like to talk about SYN cookies and how they can help protect your network from SYN and TCP floods, which are very harmful cyberattacks, cyberattacks on the Network layer 3/4. Have you ever experienced a situation where your network was bombarded with a lot of SYN and TCP flood attacks, causing problems like false alarms or making it hard to connect to your servers during these attacks? Don’t worry!! Our SYN cookies feature , which can be enabled by request, can come to the rescue. It’s designed to deal with these attacks effectively while keeping false alarms to a minimum. Let’s simplify what SYN cookies are: SYN cookies are often employed ...
0 comments
1 person likes this.
In some scenario customer might see custom certificate when they access their site, even when the custom certificate is not active for the site . Reason being the Imperva proxy first checks to see if a custom certificate was uploaded to the specific site. If one is not found, the proxy looks at other sites in the same account. If the proxy identifies a certificate uploaded to another site in same account that has a SAN corresponding to the site , then that custom certificate is used. However the above behavior is different for the websites onboarded to Imperva after October 20, 2021 , the proxy now selects a certificate in this order: The website's ...
0 comments
Be the first person to like this.
Sometimes, it's possible that when we create a rule on a site, for example at 14:00 SGT and the rule may catch and show the events from 12:00 SGT even before the rule was created. This behaviour is bit odd as the rule was catching the event which was created before the rule. Please see the screenshot below Please note that this is an expected behaviour of the WAF as the session from that particular IP is still active which is matching the rule syntax, hence, we can see the events generated from the rule even before the rule was created. #CloudWAF(formerlyIncapsula)
0 comments
Be the first person to like this.
It happens a few times that due to the Incaprule creation, the legitimate clients for example, Chrome etc., get misclassified as the Unknown bot or classified as a different client like Edge, etc gets blocked. It happen as the WAF couldn't classify the request correctly that leads to the misclassification of the client. The Client classification process is somewhat complex and multi-staged. It is based on various values from each request like headers, TLS signatures, and fingerprints. Hence, it may take a few more requests for clients to be fully classified by Imperva WAF. Num on Session filter will counts the number of requests received from the client ...
0 comments
2 people like this.
We have seen a lot of cases where the client is getting challenged by Identify Eventually condition under Identify Directive but no blocks happens as it’s the Javascript Challenge by ABP to fingerprint the request. If this issue happens with the client, we can suggest to increase the thresholds for no_token to > 10 as it will give appropriate time for the request to fingerprint resolving the issue. Please note that this will work but not for the API endpoints. For the API endpoints, we need to Scope Out the path, therefore, we need to cross check with the client whether they are the API endpoints or not as the API endpoints cannot pass the ABP ...
0 comments
2 people like this.
Hi, community, I am Ishita Jain, Senior SOC Engineer from the APJ Cloud WAF team at Imperva. One of my key areas of focus is helping our customers mitigate attacks at Layer 7 as well as Layer 3/4. I am grateful to Imperva to give me an opportunity to share my knowledge in video form (an easy and preferred way to learn for many of us). I am here to talk about how Imperva defines a custom security policy for each DDoS Protection for Networks customer network range, and how the policy impacts our mitigation process . I hope this will help you strengthen the security posture of your application/Domain. I'd love to hear your ...
0 comments
1 person likes this.
Hi, community, I am Ishita Jain, Senior SOC Engineer from the APJ Cloud WAF team at Imperva. One of my key areas of focus is helping our customers mitigate attacks at Layer 7 as well as Layer 3/4. I am grateful to Imperva to give me an opportunity to share my knowledge in video form (an easy and preferred way to learn for many of us). I am here talking about our Network DDoS Analytic Dashboard which is one of our powerful tools for our DDoS protection for networks and IPs customers, which helps to see top traffic patterns for the DDoS traffic on the network that was blocked by Imperva or clean traffic that was routed through Imperva and ...
0 comments
Be the first person to like this.
At the moment we cannot block the destination port as we don't have any specific filter for this. This can be achieved by using the filter Header Value. Please see the following rule HeaderValue != {"host";"varularora.com:443"} : This rule will block all the connections to the site user3.incaptest.net expect the port 443. When we try to add the rule, the rule will be added like in the screenshot below. #CloudWAF(formerlyIncapsula)
0 comments

Incident ID 0

Be the first person to like this.
When we are testing the requests via postman to the any site, for instance say, user3.soccloudwaf.com, we get the 200 OK response. (Please see the screenshot below) By default, Postman send Auto Generated Headers, when we deselect the HOST option and send the request, then we get the incident id 0-random_numbers wit 503 Error. (Please see the screenshot below) This incident ID does not include session information (the session part of the incident ID in this case is 0.) The 0 indicates that this was a session-less incident, which means that the request was halted on Imperva's side. These type of incidents cannot be trace ...
0 comments
Be the first person to like this.
End of Sale Notice for Imperva App Protect Essentials Subscriptions Customers who are currently on a App Protect Essentials subscription plan received an End of Sale (EOS) notice via email today. Below is a summary of the announcement, as well as a FAQ. If you have any questions, please contact your Account Executive or sales@imperva.com . What’s Changing Effective December 31, 2023, new or renewed subscriptions as well as bandwidth upgrades of App Protect Essentials will no longer be available for purchase. Additionally, Enterprise Services for App Protect Essentials will no longer be available. What Happens Next On ...
0 comments
1 person likes this.
End of Sale Notice for Incapsula Enterprise Subscriptions Customers who are currently on a Incapsula Enterprise subscription plan received an End of Sale (EOS) notice via email today. Below is a summary of the announcement, as well as a FAQ. If you have any questions, please contact your Account Executive or sales@imperva.com What’s Changing Effective December 31, 2023, renewals of Incapsula Enterprise subscriptions as well as bandwidth upgrades and site additions will no longer be available for purchase. Additionally, the corresponding Managed Services for Incapsula subscriptions will no longer be available. What Happens ...
0 comments
2 people like this.
Several Distributed-Denial of Services (DDoS) attacks are targeting organisations. DDos attacks continue to be the topic of top-level executives' concerns. DDos attacks remained dangerous and can be used to distract the security team, and enable attackers to prepare other sophisticated and damaging attacks. The diagram below shows recent statistics from our Threat research team, ddos attacks have increased significantly. source : https://www.imperva.com/cyber-threat-index#ddod-threats All recent attacks have proven the fragility of the network infrastructure of our customers. It could appear that an ...
0 comments
1 person likes this.
Imperva recommendation When you Unselect a Good bot from a good bot list, the request from those good bots will be treated like a regular request which means it may or may not be blocked . To categorize further on the request level in terms of bot categories or type of bots then configure the WAF log integration to your SIEM solution. (https://docs.imperva.com/bundle/cloud-application-security/page/settings/client-classification.htm) If you do not suspect customers to come from a particular client type then you can present those client types with Captcha to restrict only human traffic . Enabling the " Require ...
0 comments
Be the first person to like this.
When onboarding an application onto Imperva Cloud Waf setting the correct DDoS value may be key to a good user experience. The DDoS value by default is 1000 requests per second (rps) however as a default the value is quite arbitrary for a busy site this may be too low and for a quite site an attack may just slip under the radar. From this you may ask two important questions. How do I set the correct value? What is the impact of an incorrect value? How do I set the correct value? The value for a DDoS threshold should be greater that the average traffic usage. Opinions vary as to its value some suggesting between 125% ...
0 comments
1 person likes this.
"The Ease of Deployment is critical for the success of new projects. The greater the impact on the existing network infrastructure, the longer deployment takes." The purpose of this post is not to redefine or to provide new guidelines of the PoV. The goal is to highlight the basics checklist to run and easily succeed an application onboarding. As the PoV aims to demonstrate a solution matches the customer's use cases, it is important to define the customer's purpose before starting your PoV. Below is listed a set of checks Imperva recommends performing before an application onboarding Environment check Hosting Firewall ...
0 comments
Be the first person to like this.
Hi Community, I wanted to bring to your attention this update posted by Imperva's Chief Technology officer, Kunal Anand. Note that each of these have been covered in our weekly Threat Intel Report, which you can find here . Please see details below... Kunal Anand , Chief Technology Officer (2 min read) There are three concurrent events of significant concern: An Anonymous Sudan group chat on Telegram has revealed imminent threats from Russia to the US financial system, specifically targeting the SWIFT network. The motive behind this attack is disruption. By attacking SWIFT and inducing potential downtime, the attackers could ...
0 comments
Be the first person to like this.
In this very short edition of our WAF Gateway Fundamentals, I will cover (very succinctly) MX Alerts Data Structure, before we move on to Web Profiling in the next edition. If you have any questions, I'd love to hear them in the comment section. Don't forget you can see the rest of the "WAF Gateway Fundamentals" blog series here . Definitions I will start with a few key definitions Event: Event is the basic entity when discussing alerts, it represents the traffic seen by the Gateway. For example HTTP request, SQL query, file operation, TCP stream. Irregular Behaviour: Also known as a violation (this is how it is called on the UI), ...
0 comments
1 person likes this.
Hello, In case you have missed it, I thought you might be interested in the 10th Annual Imperva Bad Bot Report we have just released. This year's report, based on data from our global network in 2022, including 6 trillion blocked bad bot requests, delves into the relationship between bad bots, online fraud, API insecurity, and the impact of automated attacks across various industries. You can download the report on our website here . Highlights of this year’s report: - Bad Bots are 30% of automated traffic - Automated attacks targeting APIs on the rise - Evasive bad bots accounted for 66.6% of all bad bot traffic ...
1 comment