333791
Rule ID
333791
Status
Active rule currently published.
Alert Message
None. This rule does not generate alerts.
Description
This rule detects when a request is made using an undocumented, fake or poorly defined content types and configures the WAF to take a "closer look" at the request.
The WAF works by inspecting content based on the "type" defined by the request. The best analogy is that the WAF is being asked to review something in a language it does not understand. The WAF needs to understand the type to be able to properly inspect its contents. Attacks use this method to get past WAFs by using fake content types to trick the WAF into thinking it is reading one content type, when another content type is being used. This can be used to bypass the WAF entirely.
False Positives
None. This rule does not block or alert.
It is not recommended that you disable this rule if you have any issue with this rule.
If you believe this rule is causing issues with your system, please report this to our security team to determine if this is a legitimate case, a bug in your application, a bug in the WAF, or if its clever attack on your system.
Tuning Guidance
None.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.