Generating Traffic Learnings through Explore scans

Hi Nik,

 

 

I personally like defining a * URL and only define specific URLs if they trigger meta-character or attack signature violations. So for 1) I would say no, do not define every URL for a web application in the security policy.

 

 

I highly suggest enforcing meta-characters for each of the four character sets (header, URL, parameter name, parameter value). For 2) and 3) I suggest you do use learning or other tools to keep a tight list of globally allowed meta-characters for parameter names and values and make only make specific exceptions. For parameter names and values, I try to make exceptions by defining a specific global parameter and relax the character set there.

 

 

For example, on the * global parameter, only allow "A-Z a-z 0-9 Space ! " ( ) + , - . @ [ ] _ { } $ ? = :" for parameter names. For parameter values, only allow "A-Z a-z 0-9 Space CR LF ! " ( ) + , - . @ [ ] _ { } $ ? = : ". Then if for example the web app requires use of meta-characters in this list for the password parameter "' % < > &; `", create a global parameter named password and allow the meta-characters only on that parameter value.

 

 

I added some of this info on what I use for character sets to a recent post with you:

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/2161357/showtab/groupforums/Default.aspx2238613

 

 

Aaron