Forum Discussion
Good question..
1. https://my.web.site/netstat.exe ==> here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.
2. https://my.web.site/path?netstat.exe ==> here URI is "path?netstat.exe" & you have not asked ASM to blocked it and hence request is allowed. You need to act on positional parameters to block these kind of request.- Abed_AL-RCirrostratus
thanks for the reply
do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?
and how should I act on positional parameters to block these kind of request?
do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.
and how should I act on positional parameters to block these kind of request?
- Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
- Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
- Parameter Level: URL, URL Path: GET, Location: Query string, Parameter Value Type: User-input values, Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$
Hope it will work.
- Jefferson_NavarEmployee
In order to block the request, you can follow these steps:
1)_ Fix and use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
Tool: https://regex101.com/2)_ Create Attack Signature List.
Security ›› Options : Application Security : Attack Signatures : Attack Signatures List3)_ Create custom "Attack Signature Sets"
Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets4)_ Enforce the Signature in the policy
5)_ Test