Difference between revisions of "WAF 300023"

From Atomicorp Wiki
Jump to: navigation, search
m
m
 
(One intermediate revision by one user not shown)
Line 19: Line 19:
 
'''False Positives'''
 
'''False Positives'''
  
A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST.  The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them.  However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule, or for an application to this in a manner where it is simply not possible for the WAF to know if this was authorized.  The intent of this rule to assist with web spam attacks, where a spammer attempts to post a series of URLs on wiki, forum, blog or other site.  The rules will try to determine if this is authorized, but not all web application provide a means of detecting this and so the rules catch those cases where it way not be able to do this, or where an actual spamming event may have occurred.
+
A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST, for all potential uses and users.  For example, a forum software packages user posting application would '''not''' be an example of this, as some forums may be configured to not allow 4 or more URLs on a post.  This rule was developed specifically because some forum software packages do not restrict the amount of URLs in a post, and this method is used by spammers to fill forums and blogs with link spam.
 +
 
 +
An administrator authenticate application that takes a series of URLs as arguments would be an example of a potential false positive.  The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them.  However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule, or for an application to this in a manner where it is simply not possible for the WAF to know if this was authorized.  The intent of this rule to assist with web spam attacks, where a spammer attempts to post a series of URLs on wiki, forum, blog or other site.  The rules will try to determine if this is authorized, but not all web application provide a means of detecting this and so the rules catch those cases where it way not be able to do this, or where an actual spamming event may have occurred.
  
 
If you have a false positive, its recommended that you follow the tuning guidance below.   
 
If you have a false positive, its recommended that you follow the tuning guidance below.   

Latest revision as of 18:16, 29 November 2013

Rule ID

300023

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)

Description

This rule detects if 4 or more HTML marked up or application specific marked URLs are included in a single post.

This rule works by detecting the use of a URL as either an HTML argument, or an application specific (i.e. url=) URL included in a POST.

False Positives

A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST, for all potential uses and users. For example, a forum software packages user posting application would not be an example of this, as some forums may be configured to not allow 4 or more URLs on a post. This rule was developed specifically because some forum software packages do not restrict the amount of URLs in a post, and this method is used by spammers to fill forums and blogs with link spam.

An administrator authenticate application that takes a series of URLs as arguments would be an example of a potential false positive. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule, or for an application to this in a manner where it is simply not possible for the WAF to know if this was authorized. The intent of this rule to assist with web spam attacks, where a spammer attempts to post a series of URLs on wiki, forum, blog or other site. The rules will try to determine if this is authorized, but not all web application provide a means of detecting this and so the rules catch those cases where it way not be able to do this, or where an actual spamming event may have occurred.

If you have a false positive, its recommended that you follow the tuning guidance below.

Tuning Guidance

If you know that this behavior is acceptable for your application, and you know the application has a trusted means of showing this action should be allowed, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. Please see the Tuning the Atomicorp WAF Rules page for basic information.

If you believe this is a false positive, please follow the instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.


Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools