Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Security Engine Incident Monitoring

    While most incidents are triggered by processors, the security engine itself is responsible for several low-level incidents. These will be found in the Web UI under Session Management in the Response Rules page, and can be enabled or disabled through Configuration > Security Engine > Incident Monitoring.

    The following settings are available from Security Engine Incident Monitoring window:

    • Session Tampering–True or False. WebApp Secure uses an HTTP cookie as one of the components of its fingerprinting technology. Because the cookie has its own embedded digital signature, any attempt to fabricate or modify a session cookie will almost always result in a corrupted signature. If WebApp Secure detects that a cookie being provided does not have a valid signature, and does not follow the correct format, it will trigger a Session Cookie Tampering incident.

      Default Response: Session Tampering (0004): 1x = Logout User, 2x = 1 Day Clear Inputs, 3x = 5 Day Clear Inputs

    • Session Spoofing–True or False. WebApp Secure uses an HTTP cookie as one of the components of its fingerprinting technology. Because the cookie has its own embedded digital signature, any attempt to fabricate or modify a session cookie will almost always result in a corrupted signature. If WebApp Secure detects that a cookie being provided has an invalid signature, but otherwise uses the correct format, it will trigger a Session Cookie Spoofing incident.

      Default Response: Session Spoofing (0001): 1x = Logout User, 2x = 1 Day Clear Inputs, 3x = 5 Day Clear Inputs

    • URL Path Fuzzing–True or False. Whether or not to detect attempted fuzzing attacks by monitoring the URL Path for characters defined as invalid in RFC 3869.

      Default Response: URL Fuzzing (0005): 3x = Slow Connection 2-6 seconds for 1 day, 6x = Slow Connection 4-15 seconds for 1 day, 10x = Escalated Fuzzing Attack Escalated URL Fuzzing Attack (0006): 1x = 1 Day Block

    • URL Fragment Fuzzing–True or False. Whether or not to detect attempted fuzzing attacks by monitoring the URL Path for URL fragments incorrectly submitted to the server.

      Default Response: Same as URL Path Fuzzing

      Note: Both URL Path Fuzzing and URL Fragment Fuzzing incidents contribute to the count for the response.

    Note: WebApp Secure is typically used to protect outward facing web sites on the public Internet. These resources all have fully qualified domain names to allow them to be reached by any client on the Internet. But in some cases, WebApp Secure may be used to protect an internal resource that does not have a fully qualified domain name. For example, when you are testing WebApp Secure on an internally available version of your web site which is soon to be released to the wide world. In this case, you should also include the parameter engine.incidents.url_fuzzing.allow_locals to your configuration through the use of Expert Mode. Set the value of engine.incidents.url_fuzzing.allow_locals to true and save the configuration. This will prevent false alarms coming from legitimate hits on your internally facing site.

     

    Related Documentation

     

    Published: 2015-02-04