Honeypot Processors: Query String Processor

Hackers tend to manipulate the values of query string parameters in order to get the application to behave differently. The goal of this processor is to add fake query string parameters to some of the links and forms in the page, and verify that they do not get modified when accessed by the user.

Table 19: Query String Processor Configuration Parameters Parameter Type Default Value Description

Parameter

Type

Default Value

Description

Basic

Processor Enabled

Boolean

True

Whether traffic should be passed through this processor.

Advanced

Fake Parameters

Collection

Collection

The collection of fake parameters to add to the links which already have parameters.

Inject Parameter Enabled

Boolean

True

Whether to inject query string parameters on URLs in HTTP responses.

Maximum Injections

Integer

3

Whether to inject query string parameters on URLs in HTTP responses.

Randomization Token

String

[Not Set]

Some websites use complex redirection rules or modify query string parameters of static links using javascript on the client. In these situations, the randomization of fake query parameter values can be problematic. To resolve the issue, you can either update the list of fake parameters so that it does not include randomized tokens, or you can define a randomization token name here. If you define a randomization token, then the data used to randomize which value is selected will be transfered as an additional query string parameter by this name. It is recommended that you leave this field empty unless you experience a lot of fake positives on query parameter manipulation incidents shortly after setting up Webapp Secure to protect a website.

Strip Fake Input

Boolean

True

Whether to remove the fake input value from the query string before proxying the request to the backend servers. This should only be turned off if there is some additional security implemented on the site, where links are signed on the client and validated on the server.

Incident: Query Parameter Manipulation

Boolean

True

The user manually modified the value of a query string parameter.