Forum Discussion

Tariq_Sako_9038's avatar
Tariq_Sako_9038
Icon for Nimbostratus rankNimbostratus
Aug 24, 2016

WildCard Parameters

Hi All, i have a question about ASM Parameters, is it safe to have wildcard parameters? whats the level of impact i'm expecting regarding my security doing that!

 

  • Depends on your environment. I use wildcard parameters in 95% of deployments in conjunction with 3-5 specific (the most important) parameters. I think it's a smart thing to do, because listing out all individual parameters for maximum granularity is too expensive to manage. It's also a very risky strategy (any minor application patch could come with an impact).

     

    What will you lose? Parameter Length and Meta Character restrictions are universal. To give you an example, value of a parameter "2-letter-country-code" never needs to exceed 2 bytes. But due to your wildcard strategy, setting such a low limit is not viable because other parameters require more bytes for their legitimate values. Is it a significant loss? In my opinion, it's quite marginal.

     

    tl;dr: go with a wildcard, and list out only those parameters that are of key importance. To give you an idea of important parameters that are worth dedicated security specifications: session-id, social-security-number, password, api-access-token, credit-card-no, passport-number.

     

4 Replies

  • Depends on your environment. I use wildcard parameters in 95% of deployments in conjunction with 3-5 specific (the most important) parameters. I think it's a smart thing to do, because listing out all individual parameters for maximum granularity is too expensive to manage. It's also a very risky strategy (any minor application patch could come with an impact).

     

    What will you lose? Parameter Length and Meta Character restrictions are universal. To give you an example, value of a parameter "2-letter-country-code" never needs to exceed 2 bytes. But due to your wildcard strategy, setting such a low limit is not viable because other parameters require more bytes for their legitimate values. Is it a significant loss? In my opinion, it's quite marginal.

     

    tl;dr: go with a wildcard, and list out only those parameters that are of key importance. To give you an idea of important parameters that are worth dedicated security specifications: session-id, social-security-number, password, api-access-token, credit-card-no, passport-number.

     

    • Tariq_Sako_9038's avatar
      Tariq_Sako_9038
      Icon for Nimbostratus rankNimbostratus

      Thanks a lot for your kind feedback, appreciate your time and efforts

       

  • Depends on your environment. I use wildcard parameters in 95% of deployments in conjunction with 3-5 specific (the most important) parameters. I think it's a smart thing to do, because listing out all individual parameters for maximum granularity is too expensive to manage. It's also a very risky strategy (any minor application patch could come with an impact).

     

    What will you lose? Parameter Length and Meta Character restrictions are universal. To give you an example, value of a parameter "2-letter-country-code" never needs to exceed 2 bytes. But due to your wildcard strategy, setting such a low limit is not viable because other parameters require more bytes for their legitimate values. Is it a significant loss? In my opinion, it's quite marginal.

     

    tl;dr: go with a wildcard, and list out only those parameters that are of key importance. To give you an idea of important parameters that are worth dedicated security specifications: session-id, social-security-number, password, api-access-token, credit-card-no, passport-number.

     

    • Tariq_Sako_9038's avatar
      Tariq_Sako_9038
      Icon for Nimbostratus rankNimbostratus

      Thanks a lot for your kind feedback, appreciate your time and efforts