Follow

Q&A: What Behavior Patterns does the "HTTP Protocol Compliance Failed" module of the WAF policy check?

 Question

  • What is the HTTP Protocol Compliance Failed WAF module?
  • What are the sub-modules/behavior patterns that HTTP Protocol Compliance Failed checks for?

 

Environment

  • Silverline WAF
  • WAF Policy
  • HTTP Protocol Compliance Failed 

 

Answer

  • The WAF Policy module “HTTP Protocol Compliance Failed” checks for the following sub-modules/behavior patterns. By default, these sub-modules trigger a WAF Violation.  
    • This category contains a list of validation checks that the system performs on HTTP requests to ensure that the requests are formatted properly
      Sub-Module Description
       POST request with Content-Length: 0 Examines the content-length header of POST requests, checks if the method used is POST, and the request is not chunked. If the content-length header value is equal to 0, the system issues a violation because POST requests should usually contain a non-zero length body
      Header name with no header value The system checks for a header name without a header value
      Several Content-Length headers More than one content-length header is a non RFC violation. Indicates an HTTP response splitting attack.
      Chunked request with Content-Length header The system checks for a Content-Length header within chunked requests.
      Body in GET or HEAD requests Examines GET and HEAD requests which have a body.
      Bad multipart/form-data request parsing The system checks the following:

      1. A boundary follows immediately after request headers.

      2. The parameter value matches the format: 'name="param_key";\r\n.

      3. A chunked body contains at least one CRLF. 

      4. A chunked body ends with CRLF. If one of these is false, the system issues a violation.
      No Host header in HTTP/1.1 request Examines requests using HTTP/1.1 to see whether they contain a "Host" header.
      CRLF characters before request start Examines whether there is a CRLF character before the request method. If there is, the system issues a violation.
      Host header contains IP address The system verifies that the request's host header value is not an IP address to prevent non-standard requests.
      Content length should be a positive number The Content-Length header value should be greater than zero; only a numeric positive number value is accepted.
      Bad HTTP version Enforces desired HTTP version (only 1.0 or higher allowed).
      Null in request The system issues a violation for requests with a NULL character anywhere in the request (except for a NULL in the binary part of a multipart request).
      High ASCII characters in headers Checks for high ASCII characters in headers (greater than 127)
      Unparsable request content This violation is triggered when the system's parser cannot parse the message.
      Check maximum number of headers: maximum x headers (default 20; max 500) The system compares the request headers to the maximal configured number of headers.
      Bad host header value Detected non RFC compliant header value.
      Check maximum number of parameters: maximum x parameters (default 500; max 5000) The system compares the number of parameters in the request to the maximum configured number of parameters.
      Multiple host headers Examines requests to ensure that they contain only a single "Host" header.

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request