Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Honeypot Processors: Query String Processor

    Hackers tend to manipulate the values of query string parameters in order to get the application to behave differently. The goal of this processor is to add fake query string parameters to some of the links and forms in the page, and verify that they do not get modified when accessed by the user.

    Table 1: Query String Processor Configuration Parameters Parameter Type Default Value Description

    Parameter

    Type

    Default Value

    Description

    Basic

    Processor Enabled

    Boolean

    True

    Whether traffic should be passed through this processor.

    Advanced

    Fake Parameters

    Collection

    Collection

    The collection of fake parameters to add to the links which already have parameters.

    Inject Parameter Enabled

    Boolean

    True

    Whether to inject query string parameters on urls in HTTP responses.

    Maximum Injections

    Integer

    3

    Whether to inject query string parameters on urls in HTTP responses.

    Randomization Token

    String

    [Not Set]

    Some web sites use complex redirection rules or modify query string parameters of static links using javascript on the client. In these situations, the randomization of fake query parameter values may be problematic. To resolve the issue, you can either update the list of fake parameters so that it does not include randomized tokens, or you can define a randomization token name here. If you define a randomization token, then the data used to randomize which value is selected will be transfered as an additional query string parameter by this name. It is recommended that you leave this field empty unless you experience a lot of fake positives on query parameter manipulation incidents shortly after setting up Webapp Secure to protect a website.

    Strip Fake Input

    Boolean

    True

    Whether to remove the fake input value from the query string before proxying the request to the backend servers. This should only be turned off if there is some additional security implemented on the site, where links are signed on the client and validated on the server.

    Incident: Query Parameter Manipulation

    Boolean

    True

    The user manually modified the value of a query string parameter.

    Published: 2013-11-20