Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  How to block non normalized content in parameter

    Posted 12-04-2024 00:11

    Hi, 

    I have a question about how WAF block non normalized content in parameter

    Let's say i have an example request

    GET /search?xd=&%23X003c HTTP/1.1

    The /search is the actual url.
    The xd is the parameter with value &%23X003c

    I want to block the value: "&%23X003c" 

    I see that WAF can look in these location and have configured the signature to look in all those location.

    • URL: Request URLs.
    • Parameters: Parameters in the request.
    • Headers: HTTP headers.
    • Response Content: content returned by the web server.
    • Non Normalized URL: the raw URL, as it is received in the actual request.

    But none of them works.

    I suspect it's because the parameter is being normalized before hitting the policy?


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Nam Bui Hoang
    Security Engineer
    Tien Phong Commercial Joint Stock Bank
    Hanoi
    ------------------------------


  • 2.  RE: How to block non normalized content in parameter

    Posted 25 days ago

    Hi Nam,
    Did you manage to find the information you were looking for?
    Thanks,

    Sarah



    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------



  • 3.  RE: How to block non normalized content in parameter

    Posted 25 days ago

    hi Nam,

    can you share screenshot of your "Generic Dictionary Group" details?



    ------------------------------
    Cezmi Cal
    Consultant
    Barikat Internet Guvenligi Bilisim Ticaret A.S.
    Ankara
    ------------------------------



  • 4.  RE: How to block non normalized content in parameter

    Posted 24 days ago

    I tried 2 ways to do it and neither works.

    First is with Generic Dictionary. It's a simple config.
    Then tried every single location, didn't work.

    Second is with signature, tried every locations. Again, didn't work.


    I've created a case asking for advice already but it's low priority so no one is responding.



    ------------------------------
    Nam Bui Hoang
    Security Engineer
    Tien Phong Commercial Joint Stock Bank
    Hanoi
    ------------------------------



  • 5.  RE: How to block non normalized content in parameter

    Posted 24 days ago
    Edited by Cezmi Cal 24 days ago

    first of all, you may try to trigger an alert for this request with another basic security rule matching with this request and then you can lookup the violation details for seeing the value of this parameter. in this way you can be sure about normalization.

    first of your way seems okay and should work if it is applied correctly to server group

    second way also looks good if you used "HTTP Protocol Signatures" type policy, but if you tried with custom policy firstly you need to apply related dictionary to required server group in order to work that custom policy.

    you can lookup following article https://support.imperva.com/s/document-item?bundleId=z-kb-articles-knowledgebase-support&topicId=289388151.html&_LANG=enus



    ------------------------------
    Cezmi Cal
    Consultant
    Barikat Internet Guvenligi Bilisim Ticaret A.S.
    Ankara
    ------------------------------



  • 6.  RE: How to block non normalized content in parameter

    Posted 20 days ago

    Hi,

    The body of the packet in WAF is normalized, hench the question asking how to catch non-normalized content in parameter

    The server group and HTTP Protocol Signatures are all correctly applied.

    Would be nice if you can test it out in a lab first to see if you can block it. 

    Much appreciated if so.



    ------------------------------
    Nam Bui Hoang
    Security Engineer
    Tien Phong Commercial Joint Stock Bank
    Hanoi
    ------------------------------