WAF 340362

From Atomicorp Wiki
Jump to: navigation, search

Rule ID


Alert Message

Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it is blocked.


Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls. Therefore they can not see or evaluate any traffic encoded in this manner. If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic.

This rule looks for this header:

Content-Encoding: Identity

If this header exists, the request is rejected because the WAF can not decode this kind of content. It is invisible to the WAF (because its compressed, but the method of compression is not defined, so the WAF has no idea how to uncompress it), and therefore an attack can simply bypass the WAF by compressing an attack.

Do not disable this rule.


The use of this method is also consider invalid by the HTTP 1.1 RFC. This content-coding is used only in the Accept-Encoding header, and SHOULD NOT be used in the Content-Encoding header. This rule detects this RFC non-compliant compressed inbound content and blocks it correctly. The content is both invalid, and invisible to the WAF. The use of this method is extremely rare in practice, as properly designed client applications will not do this. If you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, is producing content the WAF will not be able to decompress (and which it will therefore block) and should be modified to be in compliance with the HTTP 1.1 RFC.

See the RFC in the references section below for technical details.

False Positives:

None. If this rule triggers it means content encoded data, as explained above, is being sent to the server. If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent.

Do not disable this rule.

Similar Rules




Personal tools