Follow

Q&A: What Behavior Patterns Does The "Evasion technique detected" Module Of The WAF Policy Check?

 

 Question

  • What is the Evasion technique detected WAF module?
  • What are the sub-modules/behavior patterns that Evasion technique detected checks for?

 

Environment

  • Silverline WAF
  • WAF Policy
  • Evasion technique detected

 

Answer

  • The WAF Policy module “Evasion technique detected” checks for the following sub-modules/behavior patterns. By default, these sub-modules trigger a WAF Violation.  
    • This category contains a list of validation checks that the system performs on HTTP requests to ensure that the requests are formatted properly
      Sub-Module Description
      Directory traversals Ensures that directory traversal commands like ../ are not part of the URL. While requests generated by a browser should not contain directory traversal instructions, sometimes requests generated by JavaScript have them.
      Multiple decoding: considered an evasion after 4 decoding passes Q&A: What is Evasion technique detected: Multiple decoding?
      The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion. (The maximum passes can be configured up to 5)
      %u decoding Performs Microsoft %u unicode decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input to evaluate if the request contains an attack.
      IIS backslashes Normalizes backslashes (\) to slashes (/) for further processing.
      IIS Unicode codepoints Handles the mapping of IIS specific non-ASCII codepoints. Indicates that, when a character is greater than '0x00FF', the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input.
      Bare byte decoding The system detects higher ASCII bytes (greater than 127).
      Apache whitespace The system detects the following characters in the URI: 9 (0x09), 11 (0x0B) and 12 (0x0C).
      Bad unescape The system detects illegal HEX encoding. Reports unescaping errors (such as %RR).

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request