Follow

Q&A: What does tuning a parameter as a “file upload” in WAF means?

Question

  • What does a parameter defined as a “file upload” do?
  • What is the difference between tuning an attack signature on a parameter and defining the parameter as file upload?

Environment

  • Silverline WAF
  • BIG-IP ASM
  • WAF Policy/Policies

Answer

An application may permit users to upload Word documents, Excel spreadsheets, PDF’s, and so forth.

This can cause many false positives when the web application is protected by a WAF policy, because the uploaded files may:

  • Contain attack signatures.  Image files may be parsed as ASCII, and suspicious-looking strings detected; Word or Excel documents may contain XSS tags or SQL injection strings.  After all, Mr. ‘Select’ – ‘Union City’ -- is one of our most valuable customers ( common keywords used in SQL injection attacks).
  • Contain illegal metacharacters, like XSS tags <>
  • Be so large that the maximum request size (10MB by default) is exceeded
  • Trip other violations

It is therefore necessary to inform the WAF policy, that a particular parameter on a form field is one that contains a file upload so that checking for attack signatures and metacharacters can be disabled.

 

Why not just disable the signature that is being triggered on that parameter?

Simply, because more false positives will arise as the uploaded files will be different from each other.

Meaning that other signatures that didn't trigger before will do, causing blockages and breaking the functionality (uploading a file) of the application. The parameter would require to be tuned constantly (disabling new signatures every time they come up).

This means the best tuning option will be to define it as a file upload.

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request