Forum Discussion

Rene_Bader_1308's avatar
Rene_Bader_1308
Icon for Nimbostratus rankNimbostratus
Aug 05, 2014
Solved

URL parameter not working (ASM)

Hi all,

 

I'm new to the ASM and currently trying to protect an application that uses URL parameters in some requests.

 

I want the ASM to allow only named parameter values and configured them at

 

Security --> Application Security --> Allowed URL --> URL parameters

 

as static values. Everything up to allowed URL is working as expected unless the parameters are not restricted to the values I defined. I can still enter any value I like and it's gonna be interpreted by the application.

 

What I'm missing in my rule?

 

Thanks

 

René

 

ASM Advanced WAF
security
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Aug 06, 2014

    Check your policy blocking settings. As I always tell my students there are three things required for ASM to block.

     

    1. The policy must be in blocking mode.
    2. The entity must not be in staging.
    3. The blocking settings (learn, alarm and block) must have block ticked for that violation.

    There is a specific violation related to static parameter settings, it is easily missed.

     

4 Replies

Sort By
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Aug 06, 2014

    Check your policy blocking settings. As I always tell my students there are three things required for ASM to block.

     

    1. The policy must be in blocking mode.
    2. The entity must not be in staging.
    3. The blocking settings (learn, alarm and block) must have block ticked for that violation.

    There is a specific violation related to static parameter settings, it is easily missed.

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Aug 06, 2014
      Kevin - good clear advice on this one. try to follow these rules myself. Interesting "Illegal static parameter value" doesn't seem to be enabled for learn,alarm or block by default. At least not for my quick test on v11.4.1.
  • Rene_Bader_1308's avatar
    Rene_Bader_1308
    Icon for Nimbostratus rankNimbostratus
    Aug 06, 2014

    All,

     

    thanks for your quick response.

     

    Thanks to Nathan I found the missing link.

     

    I set the "Illegal parameter" to block and did not get that there is a setting for "Illegal static parameter value".

     

    Now it's working. :)