Original Message:
Sent: 12-20-2024 02:29
From: Cezmi Cal
Subject: How to block non normalized content in parameter
first of all, you may try to trigger an alert for this request with another basic security rule matching with this request and then you can lookup the violation details for seeing the value of this parameter. in this way you can be sure about normalization.
first of your way seems okay and should work if it is applied correctly to server group
second way also looks good if you used "HTTP Protocol Signatures" type policy, but if you tried with custom policy firstly you need to apply related dictionary to required server group in order to work that custom policy.
you can lookup following article https://support.imperva.com/s/document-item?bundleId=z-kb-articles-knowledgebase-support&topicId=289388151.html&_LANG=enus
------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara
Original Message:
Sent: 12-19-2024 20:38
From: Nam Bui Hoang
Subject: How to block non normalized content in parameter
I tried 2 ways to do it and neither works.
First is with Generic Dictionary. It's a simple config.
Then tried every single location, didn't work.
Second is with signature, tried every locations. Again, didn't work.
I've created a case asking for advice already but it's low priority so no one is responding.
------------------------------
Nam Bui Hoang
Security Engineer
Tien Phong Commercial Joint Stock Bank
Hanoi
Original Message:
Sent: 12-19-2024 09:10
From: Cezmi Cal
Subject: How to block non normalized content in parameter
hi Nam,
can you share screenshot of your "Generic Dictionary Group" details?
------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara
Original Message:
Sent: 12-04-2024 00:10
From: Nam Bui Hoang
Subject: How to block non normalized content in parameter
Hi,
I have a question about how WAF block non normalized content in parameter
Let's say i have an example request
GET /search?xd=&%23X003c HTTP/1.1
The /search is the actual url.
The xd is the parameter with value &%23X003c
I want to block the value: "&%23X003c"
I see that WAF can look in these location and have configured the signature to look in all those location.
- URL: Request URLs.
- Parameters: Parameters in the request.
- Headers: HTTP headers.
- Response Content: content returned by the web server.
- Non Normalized URL: the raw URL, as it is received in the actual request.
But none of them works.
I suspect it's because the parameter is being normalized before hitting the policy?
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Nam Bui Hoang
Security Engineer
Tien Phong Commercial Joint Stock Bank
Hanoi
------------------------------