Forum Discussion

George_33482's avatar
George_33482
Icon for Nimbostratus rankNimbostratus
Apr 15, 2013

Meta Characters

Hi ,

 

I have ASM 11.2.1 that starts blocking web pages due to meta character violation in the password parameters (during authentication), I allowed some meta characters for the users to be able to login.

 

But the question is, what is the implications of allowing special characters that are disallowed by default??? Does this causes some security violations??

 

Is there another way to make the ASM learn these meta characters instead of staticaly allow them?

 

Thank you.

 

George

 

3 Replies

  • Hi,

     

     

    By default nearly every meta character is disallowed for use as parameter value.

     

    In my opinion, this is a little bit to much of security for the most of the web applications. This is only necessary, if you need a lot of security for your application.

     

    It would be necessary to validate every parameter value, the user entered in the web application, befor the request is send to the server. i.e. by javascript or a special webpage.

     

    If you don't do that, I recommend to allow the most of the meta characters for parameter values.

     

     

    1. If you have troubles only with one parameter value (password), you can do this only for the single parameter value.

     

    2. You can allow the meta character for all parameter values, too. It saves a lot of time in configuration or policy learning.

     

    i.e. you are not so strong to the user and he is allowed to type in a wrong value, because of a misstake.

     

     

    I recommend the secound option. In my opinion, this is no security risk.

     

     

    You can learn the meta characters by policy builder.

     

    Especially, the parameter password produce a lot of violations, if you dont accept meta characters. A strong password should contain some of that inside. If the user use a password generator, there can be a lot of them inside.

     

     

    regards
  • So the first question you need to ask yourself is how important/sensitive is the data that lives behind this application, if it is sensitive personal data of customers or employees then I would not recommend just allowing all meta characters for all parameters, even if it is just moderately valuable data I still may not do this. If it is public data though that you don't care who has it, then restricting meta character and white list security is probably not heavily needed

     

     

    Allowing all Meta Characters for all parameters does contain an increased security risk, it is debatable as to how much of a risk increase you incur but that is mostly dependent on how your application is coded and what sort of technology is behind the application. If you code will compensate for unwanted characters by doing some sort of client side check or server side validation before allowing the value to process then you probably don't need to restrict many meta characters as you have good security built into the application.

     

     

    The way I see it ASM is there to supplement security that has not or cannot be built into the application itself for whatever reason. As far as meta characters goes I tend to lean the opposite way from Torti and restrict what I don't want the user to be able to input. From a security standpoint what this does is narrow the scope that attackers can use against your application. Many of the attacks and bypasses used to get at data behind an application use meta characters or a combination of meta characters so restricting to allow only what is needed will take away some options attackers have. Yes Attack Signatures will still stop a known malicious pattern even if the single meta character is allowed, but this is for known exploits and attacks, restricting your site to only what is needed (or as best you can) will help limit your exposure to 0 day and unknown exploits.

     

     

  • Mike you are right. The ASM is only for an increase of security. Security starts with secure coding. If you want 100% security, disconnect from the www.

     

    I see my way not as an opposite to your way Mike. I restrict, what I don't want, but I allow a user the input of about 30 meta characters, because the mistake of wrong characters can happen.

     

    And a good coded application doesn't allow the user to input wrong meta character or will inform the user about his mistake. But this isn't possible, if you block everything and respond with a single blocking response page. Only if you use a script on client side.

     

    You allways have to find the balance between usability and security.