333791

Rule ID

333791

Status

Active rule currently published.

Alert Message

None. This rule does not generate alerts.

Description

This rule detects when a request is made using an undocumented, fake or poorly defined content types and configures the WAF to take a "closer look" at the request.

The WAF works by inspecting content based on the "type" defined by the request. The best analogy is that the WAF is being asked to review something in a language it does not understand. The WAF needs to understand the type to be able to properly inspect its contents. Attacks use this method to get past WAFs by using fake content types to trick the WAF into thinking it is reading one content type, when another content type is being used. This can be used to bypass the WAF entirely.

False Positives

None. This rule does not block or alert.

It is not recommended that you disable this rule if you have any issue with this rule.

If you believe this rule is causing issues with your system, please report this to our security team to determine if this is a legitimate case, a bug in your application, a bug in the WAF, or if its clever attack on your system.

Tuning Guidance

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.