Difference between revisions of "WAF 391213"
(Created page with "'''Rule ID''' 391213 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Request content type is not allowed by policy '''Descr...") |
m |
||
Line 22: | Line 22: | ||
'''False Positives''' | '''False Positives''' | ||
− | A false positive can occur when an application legitimately sets an undocumented or poorly understood Content-Type. The rules contain a large library of known | + | A false positive can occur when an application legitimately sets an undocumented or poorly understood Content-Type. The rules contain a large library of known content-types and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule. |
It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly. | It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly. |
Latest revision as of 11:12, 15 June 2012
Rule ID
391213
Status
Active rule currently published.
Alert Message
Atomicorp.com WAF Rules: Request content type is not allowed by policy
Description
This rule detects when a request is made using an undocumented, fake or poorly defined content types. The WAF works by inspecting content based on the "type" defined by the request. This of this as a foreign language. The WAF needs to understand the type to be able to properly inspect its contents.
Attacks use this method to get past WAFs by using fake content types to trick the WAF into thinking it is reading one content type, when another content type is being used. This can be used to bypass the WAF entirely.
This rule prevents the use of fake, undocumented or poorly defined content types.
False Positives
A false positive can occur when an application legitimately sets an undocumented or poorly understood Content-Type. The rules contain a large library of known content-types and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.
It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Tuning Guidance
If you know that this behavior is acceptable for your application, please see the Tuning the Atomicorp WAF Rules page for basic information.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.