WAF Explanations RFC violations Table A.1 RFC violations RFC violation Violation trigger event Attack type Cookie not RFCcompliant Evasion technique HTTP protocol compliance failed The cookie header in the request does not comply with the formatting standards as specified in the RFC for HTTP state management. The content of the request contains encoding or formatting that represents an attempt to bypass attack signature detection. The following subviolation checks can occur: Directory traversals The request includes directory traversal commands such as../ Multiple decoding n decoding passes The URI or parameter values are encoded multiple times and may indicate an attack. You can set the number of decoding passes (2, 3, 4, or 5) at which to issue the violation. %u decoding The system performs Microsoft %u unicode decoding to check for various attacks. IIS backslashes The system normalizes backslashes to slashes to prevent attackers from requesting files. IIS Unicode codepoints The system handles the mapping of IIS-specific non-ascii codepoints. Bare byte decoding The system detects ASCII bytes higher than 127. Apache whitespace The system detects the following characters in the URI: 0x09, 0x11, 0x12, and 0x13. Bad unescape The system detects illegal HEX encoding and reports unescaping errors (such as %RR). The request does not comply with one of the following HTTP protocol compliance checks: HTTP parser attack Depends on subviolation Path traversal Depends on subviolation
POST request with Content-Length: 0 HTTP Request Smuggling Attack Mandatory HTTP header is missing Header name with no header value Several Content-Length headers Chunked request with Content-Length header Body in GET or HEAD requests Bad multipart/form-data request parsing Bad multipart parameters parsing No Host header in HTTP/1.1 request CRLF characters before request start Host header contains IP address Content should be a positive number Bad HTTP version Null in request High ASCII characters in headers Unparsable request content Check maximum number of headers: n maximum headers The request does not contain an HTTP header specified as mandatory by the security HTTP Request Smuggling Attack Non-browser client Non-browser client Injection Attempt
Access violations Table A.2 Access violations Access violation Violation trigger event Attack type CSRF attack CSRF authentication expired Illegal entry point Illegal file type Illegal flow to URL Illegal HTTP status in response Illegal meta character inparameter name Illegal meta character in URL Illegal method Illegal session ID in URL Illegal URL (also called xistent URL) Login URL bypassed Login URL expired Request exceeds defined buffer size The request is not legitimate and comes from a clicked link, embedded malicious HTML, or JavaScript in another application, and may involve transmission of unauthorized commands through an authenticated user. Cross-Site Request Forgery (CSRF) is suspected. The system injects a CSRF session cookie into responses. If you configured an expiration time for CSRF protection, and the request was sent after the CSRF session cookie expired, the system issues this violation. The incoming request references a URL that is not defined as an entry point. The incoming request references a file type that is not specified on the allowed file types list or is specified on the disallowed file types list in the security The incoming request references a flow that is not found in the security The server response contains an HTTP status code that is not defined in the security The incoming request includes a parameter that contains a meta character that is not allowed in the security The incoming request includes a URL that contains a meta character that is not allowed in the security The incoming request references a HTTP method that is not defined in the security The system checks that the request contains a session ID value that matches the session ID value that the server set for this session. The incoming request references a URL that is not specified on the allowed URLs list or is specified on the disallowed URLs list in the security The incoming request tried to access the web application without going through the login URL. The incoming request is for an authenticated URL whose valid access time has passed. The incoming request is larger than the buffer for the Security Enforcer parser. When the system receives a request that triggers this violation. Information leakage Session hijacking
Length violations Table A.3 Length violations Length violation Illegal cookie Illegal header Illegal POST data Illegal query string Illegal request Illegal URL Violation trigger event The incoming request includes a cookie header that exceeds the acceptable as specified in the security The incoming request includes an HTTP header that exceeds the acceptable as specified in the security The incoming request contains POST data whose exceeds the acceptable as specified in the security The incoming request contains a query string whose exceeds the acceptable as specified in the security The incoming request exceeds the acceptable as specified in the security The incoming request references a URL whose exceeds the acceptable as specified in the security Attack type Input violations Table A.4 Input violations Input violation Violation trigger event Attack type Failed to convert character Illegal attachment in SOAP message Illegal dynamic parameter value The incoming request contains a character that does not comply with the encoding of the web application (the character set of the security policy), and the Security Enforcer cannot convert the character to the current encoding. The incoming request contains a SOAP message in which there is an attachment that is not permitted by the security The incoming request contains a dynamic parameter whose value was changed illegally on the client side. Injection attempt Illegal empty parameter The incoming request contains a
value Illegal meta character in header Illegal meta character inparameter value Illegal number of mandatory parameters Illegal parameter Illegal parameter data type Illegal parameter numeric value Illegal parameter value Illegal query string or POST data Illegal repeated parametername Illegal static parameter value Malformed XML data parameter whose value is empty when it must contain a value. The incoming request includes a header whose value contains a meta character that is not allowed in the security Note that if you accept the meta character that caused the violation, the Application Security Manager updates the character set for header values to allow the meta character. The incoming request includes a parameter whose value contains a meta character that is not allowed in the security Note that if you accept the meta character that caused the violation, the Application Security Manager updates the character set for parameter values to allow the meta character. The incoming request contains either too few or too many mandatory parameters on a flow. Note that only flows can contain mandatory parameters. The incoming request contains a parameter that is not defined in the security The incoming request contains a parameter for which the data type does not match the data type that is defined in the security This violation applies to user-input parameters, which may be defined in the security policy as either integer, alpha-numeric, decimal, phone, or email. The incoming request contains a parameter whose value is not in the range of decimal or integer values defined in the security The incoming request contains a parameter whose value does not match the value that is defined in the security Note that this violation is relevant only for user input parameters. The incoming request contains a query string or POST data that is not allowed in a flow. The request contains multiple parameters with the same name, and may indicate an HTTP parameter pollution attack. If this behavior is permitted, you can allow repeated occurrences when creating parameters. The incoming request contains a static parameter whose value is not defined in the security The incoming request contains XML data that is not well-formed, according to W3C standards. Detection evasion XML parser attack
Maximum login attempts are exceeded Null in multi-part parameter value value does notcomply with regular expression SOAP method not allowed Web scraping Web Services Security failure XML data does not comply with format settings XML data does not comply with schema or WSDL document Application Security Manager too many failed login attempts. The incoming multi-part request has a parameter that contains a binary NULL (0x00) value and the content-type header parameter type is binary when the parameter is defined in the security policy as user-input alpha-numeric. The incoming request contains an alphanumeric parameter value that does not match the expected pattern specified by the regular-expression field for that parameter. The incoming request contains a SOAP method that is not permitted by the security The incoming request looks like it is from a nonhuman, automated source, or illegal web robot. The request contains one of the following web services security errors: Internal Error Malformed Error Certificate Expired Certificate Error Decryption Error Signing Error Verification Error Missing Timestamp Invalid Timestamp Expired Timestamp Timestamp expiration is too far in the future Unsigned Timestamp The incoming request contains XML data that does not comply with the defense configuration in the XML profile. The incoming request contains XML data that does not match the schema file or WSDL document that is part of the XML profile. Brute force attack Information leakage Web scraping XML parser attack
Cookie violations Table A.5 Cookie violations Cookie violation Violation trigger event Attack type ASM cookie hijacking (also called Wrong message key) Expired timestamp Modified ASM cookie Modified domain cookie(s) The incoming request contains an Application Security Manager cookie that was created in another session. The time stamp in the HTTP cookie is old, which indicates either the malicious reuse of an outdated cookie, or that a client has been idle for too long, or. The incoming request contains an Application Security Manager cookie that has been modified or tampered with. The domain cookies in the HTTP request do not match the original domain cookies, or are not defined as allowed modified domain cookies in the security Negative security violations Table A.6 Negative security violations Negative security violation Information leakage Virus Attack signature Violation trigger event The response contains sensitive user data. The Data Guard TM feature determines what data is considered sensitive (for details, see Masking sensitive data). The request includes a file containing a virus or worm. The incoming request, or the response, contains a pattern that matches an attack signature. Note: The Attack signature violation does not appear on the Requests screen for signatures that are in staging. Attack type Information leakage Virus Attack type depends on which attack signature triggered the violation