Imperva Cyber Community

Expand all | Collapse all

How to evaluates HTTP request body for malicious content.

  • 1.  How to evaluates HTTP request body for malicious content.

    Posted 12-17-2020 02:47

    As per the predefined dictionary configurations most of them are configured to check the urls and parameters of HTTP request for malicious content.

    How do i configure to make sure that WAF evaluates the request body as well against the predefined signatures on WAF?

    I see that there is an option under HTTP service to evaluate the request body but i think we will have to manually create signature's and then policy for this? but what i would like to configure to evaluate request body against the predefined signature's?


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Nishanth Minikkaran
    Allianz technology
    ------------------------------


  • 2.  RE: How to evaluates HTTP request body for malicious content.

    Imperva Employee
    Posted 02-25-2021 09:00
    Hi @Nishanth Minikkaran,

    ​The signatures are usually developed by our Security Research team ADC to mitigate the vulnerabilities and CVEs that were found during their research.
    When the malicious part is expected to be in URLs or parameters, they will create a signature to match that. When the malicious code is expected to appear in the body, the signature will look for it in the body of the request.
    In general, the options are:

    Web signature:

     URL- Request URLs after being normalized by Imperva GW.

    Parameters - Parameters in the request.

    Headers - HTTP headers.

    Response Content - content returned by the webserver.

    Non-Normalized URL - the URL raw, as it is received in the actual request.

    If you have a specific signature you think we should check against the body, please let me know and I can check why it was configured the way it is.



    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------