https://wiki.atomicorp.com/wiki/index.php?title=WAF_391213&feed=atom&action=historyWAF 391213 - Revision history2024-03-28T15:05:15ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=WAF_391213&diff=2375&oldid=prevMshinn at 15:12, 15 June 20122012-06-15T15:12:11Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 15:12, 15 June 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 22:</td>
<td colspan="2" class="diff-lineno">Line 22:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>A false positive can occur when an application legitimately sets an undocumented or poorly understood Content-Type.  The rules contain a large library of known <del class="diffchange diffchange-inline">web applications and safe methods for using URLs, </del>and can detect known safe methods and ignore them.  However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>A false positive can occur when an application legitimately sets an undocumented or poorly understood Content-Type.  The rules contain a large library of known <ins class="diffchange diffchange-inline">content-types </ins>and can detect known safe methods and ignore them.  However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>It is not recommended that you disable this rule if you have a false positive.  If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>It is not recommended that you disable this rule if you have a false positive.  If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_391213&diff=2374&oldid=prevMshinn: Created page with "'''Rule ID''' 391213 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Request content type is not allowed by policy '''Descr..."2012-06-15T15:07:38Z<p>Created page with "'''Rule ID''' 391213 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Request content type is not allowed by policy '''Descr..."</p>
<p><b>New page</b></p><div>'''Rule ID''' <br />
<br />
391213<br />
<br />
'''Status'''<br />
<br />
Active rule currently published.<br />
<br />
'''Alert Message''' <br />
<br />
Atomicorp.com WAF Rules: Request content type is not allowed by policy<br />
<br />
'''Description''' <br />
<br />
This rule detects when a request is made using an undocumented, fake or poorly defined content types. The WAF works by inspecting content based on the "type" defined by the request. This of this as a foreign language. The WAF needs to understand the type to be able to properly inspect its contents.<br />
<br />
Attacks use this method to get past WAFs by using fake content types to trick the WAF into thinking it is reading one content type, when another content type is being used. This can be used to bypass the WAF entirely. <br />
<br />
This rule prevents the use of fake, undocumented or poorly defined content types.<br />
<br />
<br />
'''False Positives'''<br />
<br />
A false positive can occur when an application legitimately sets an undocumented or poorly understood Content-Type. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule. <br />
<br />
It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.<br />
<br />
'''Tuning Guidance'''<br />
<br />
If you know that this behavior is acceptable for your application, please see the [[Tuning the Atomicorp WAF Rules]] page for basic information.<br />
<br />
'''Similar Rules'''<br />
<br />
None.<br />
<br />
'''Knowledge Base Articles'''<br />
<br />
None.<br />
<br />
'''Outside References'''<br />
<br />
None.</div>Mshinn