WAF 390703

From Atomicorp Wiki
Revision as of 18:33, 13 September 2011 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

390703

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: URL Encoding Abuse Attack Attempt

Description

This rule detects if a request body is encoded of the type "application/x-www-form-urlencoded" and does not present a valid encoded request body. The WAF has a built in validation engine that would look to see if the encoded body matches the RFC. If the body claims to be x-www-form-urlencoded, but does not follow the RFC this rule will be triggered. This rule is designed to detect attempts to encode attacks in a manner that an application may decode, but that the WAF will not. This method is used by attackers to try to bypass WAFs and IDSs and to attack applications that may be more forgiving of broken or non-conforming encoded bodies.

False Positives

A false positive can occur when an application uses a broken or non-RFC conforming method of encoded the request body.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please contact the application vendor first and referred them to this article and the RFC referenced at the bottom. If their application does conform to the RFC, please report this as a bug in the engine along with supporting information from the application developer.

If the application does not conform to the RFC, we recommend you ask the application developer to do so. Disabling this rule will make it possible for an attacker to present non-conforming urlencoded requests to your system that the WAF will not be able to decode correct. In these cases, it may be possible for an attacker to bypass the WAF and successfully attack your system.

If you still believe this is a false positive, please follow the process on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you know that this behavior is acceptable for your application, and you are comfortable that your application does not have any vulnerabilities, you can disable this rule for just this application. Please follow the guidance on the Tuning the Atomicorp WAF Rules page.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

RFC 1738: http://www.ietf.org/rfc/rfc1738.txt

Personal tools