Difference between revisions of "WAF 300023"
(Created page with "'''Rule ID''' 300023 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Possible Spam: Multipleembedded urls in argument (Disable ...") |
m |
||
(2 intermediate revisions by one user not shown) | |||
Line 9: | Line 9: | ||
'''Alert Message''' | '''Alert Message''' | ||
− | Atomicorp.com WAF Rules: Possible Spam: | + | Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post) |
'''Description''' | '''Description''' | ||
Line 15: | Line 15: | ||
This rule detects if 4 or more HTML marked up or application specific marked URLs are included in a single post. | This rule detects if 4 or more HTML marked up or application specific marked URLs are included in a single post. | ||
− | This | + | This rule works by detecting the use of a URL as either an HTML argument, or an application specific (i.e. url=) URL included in a POST. |
'''False Positives''' | '''False Positives''' | ||
− | A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule. | + | A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST, for all potential uses and users. For example, a forum software packages user posting application would '''not''' be an example of this, as some forums may be configured to not allow 4 or more URLs on a post. This rule was developed specifically because some forum software packages do not restrict the amount of URLs in a post, and this method is used by spammers to fill forums and blogs with link spam. |
+ | |||
+ | An administrator authenticate application that takes a series of URLs as arguments would be an example of a potential false positive. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule, or for an application to this in a manner where it is simply not possible for the WAF to know if this was authorized. The intent of this rule to assist with web spam attacks, where a spammer attempts to post a series of URLs on wiki, forum, blog or other site. The rules will try to determine if this is authorized, but not all web application provide a means of detecting this and so the rules catch those cases where it way not be able to do this, or where an actual spamming event may have occurred. | ||
If you have a false positive, its recommended that you follow the tuning guidance below. | If you have a false positive, its recommended that you follow the tuning guidance below. | ||
Line 25: | Line 27: | ||
'''Tuning Guidance''' | '''Tuning Guidance''' | ||
− | If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. Please see the [[Tuning the Atomicorp WAF Rules]] page for basic information. | + | If you know that this behavior is acceptable for your application, and you know the application has a trusted means of showing this action should be allowed, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. Please see the [[Tuning the Atomicorp WAF Rules]] page for basic information. |
If you believe this is a false positive, please follow the instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly. | If you believe this is a false positive, please follow the instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly. |
Latest revision as of 19:16, 29 November 2013
Rule ID
300023
Status
Active rule currently published.
Alert Message
Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
Description
This rule detects if 4 or more HTML marked up or application specific marked URLs are included in a single post.
This rule works by detecting the use of a URL as either an HTML argument, or an application specific (i.e. url=) URL included in a POST.
False Positives
A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST, for all potential uses and users. For example, a forum software packages user posting application would not be an example of this, as some forums may be configured to not allow 4 or more URLs on a post. This rule was developed specifically because some forum software packages do not restrict the amount of URLs in a post, and this method is used by spammers to fill forums and blogs with link spam.
An administrator authenticate application that takes a series of URLs as arguments would be an example of a potential false positive. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule, or for an application to this in a manner where it is simply not possible for the WAF to know if this was authorized. The intent of this rule to assist with web spam attacks, where a spammer attempts to post a series of URLs on wiki, forum, blog or other site. The rules will try to determine if this is authorized, but not all web application provide a means of detecting this and so the rules catch those cases where it way not be able to do this, or where an actual spamming event may have occurred.
If you have a false positive, its recommended that you follow the tuning guidance below.
Tuning Guidance
If you know that this behavior is acceptable for your application, and you know the application has a trusted means of showing this action should be allowed, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. Please see the Tuning the Atomicorp WAF Rules page for basic information.
If you believe this is a false positive, please follow the instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.