How to set a security exception?


By Sagi
Follow

Incapsula offers several ways to add an exception to the WAF and security settings you have configured. In order to configure the suitable exception, it is highly recommended to understand under which context the exception should be added

 

 1. WAF:  

The various WAF exceptions can be found under the site's WAF tab, and include exceptions for Backdoor Protect, Remote File Inclusion, SQL Injection, Cross Site Scripting, Illegal Resource Access and DDoS:

Note, the exceptions will affect only to the section under it and won't affect other sections. For example, exception under SQL Injection relates only to the values which were added under it and won't bypass another threats (such as Illegal Resource Access) which match that exception. 

Exceptions in WAF won't affect security settings which have configured in the Security Access List.

  • Backdoor Protect: Backdoors are widely used by hackers for malicious purposes, such as sending spam and participating in DDoS attacks on other websites. Backdoor protect allows you to detect and quarantine Backdoors. In cases where an exception is required, it can be deployed based on : URL, Client app ID, IP, Country, User-Agent, HTTP Parameter.
  • Remote File Inclusion: Remote File Inclusion (RFI) is an attack that targets the computer servers that run Web sites and their applications. RFI exploits are most often attributed to the PHP programming language used by many large firms including Facebook and SugarCRM. However, RFI can manifest itself in other environments and works by exploiting applications that dynamically reference external scripts indicated by user input without proper sanitation. As a consequence, the application can be instructed to include a script hosted on a remote server and thus execute code controlled by an attacker. The executed scripts can be used for temporary data theft or manipulation, or for a long term takeover of the vulnerable server. In cases where an exception is required, it can be deployed based on : URL, Client app ID, IP, Country, User-Agent, HTTP Parameter.

  • SQL Injection: SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. In cases where an exception is required, it can be deployed based on : URL, Client app ID, IP, Country, HTTP Parameter.

  • Cross Site Scripting: Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum. That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker. In cases where an exception is required, it can be deployed based on : URL, Client app ID, IP, Country, HTTP Parameter.
  •  Illegal Resource Access: Detect attempts to access Vulnerable or Administrative pages, or view or execute System Files. This is commonly done using URL guessing, Directory Traversal, or Command Injection techniques. In cases where an exception is required, it can be deployed based on : URL, Client app ID, IP, Country, HTTP Parameter.
  • DDoS: A distributed Denial of Service (DDoS) attack is a simple variation of a Denial of Service attack in which the attacker initiates the assault from multiple machines to mount a more powerful, coordinated attack. In cases where an exception is required, it can be deployed based on : URL, Client app ID, IP, Country.

2. Security Access List:  

The various access list exceptions can be found under the site's Security tab, and include exceptions for Bot Access Control, Block Countries, Block URLs, Block IPs and a general IP based white list:

Note, the exceptions will affect only to the section under it and won't affect other sections. For example, exception under Block URL relates only to the values which were added under the Block URLs and won't bypass values which were added on other sections such Block IP/Countries, Bot access Control.

Exceptions in the Security tab will still be monitored by the WAF and will be blocked if necessary. 

  • Bot Access Control: This list allows the user to restrict clients (search bot, crawler, etc.) from visiting the site. Some bot traffic is blocked by default by Incapsula, and the user also has the ability to add clients to that. In cases where an exception is required, it can be deployed based on: IP, URL, Client app ID, Country, User-Agent. 
  • Block Countries: This list allows the user to restrict traffic based on geo-location of the visitor.In cases where an exception is required, it can be deployed based on: URL, IP, Country, Client app ID.
  • Block URLs: This list allows the user to restrict traffic to specific resources. In cases where an exception is required, it can be deployed based on: URL, IP, Country, Client app ID.
  • Block IPs: This list allow the user to This list allows the user to restrict traffic to specific resources. In cases where an exception is required, it can be deployed based on: URL, IP, Country, Client app ID. 

Whitelist Specific IP Sources - located under the Security tab:

In most cases, it would be best to white list under the specific context in which the block is made. However, there are cases where you wish that traffic from a specific source bypass the Incapsula's WAF and security settings entirely. In such cases, where the IPs are trusted and considered to be safe, add them to this list.

 

3. Exception fields and accepted values:

These fields vary on each section but the accepted values remain the same. Also note that an exception may include 1 or more of the following fields:

  • IP - Single IP (1.2.3.4), Range  (1.2.3.4 - 1.3.3.4), Subnet (1.2.3.4/16).
  • URL - exact URL (/admin); URL which contains all sub-folders (/exmaple/*). Note that it is recommended to seperate between wildcard exceptions and exceptions for exact paths. 
  • Client app ID - Each of the known client app IDs by Incapsula (Such as Qualys Scanner).
  • Country - Specific country or continent. 
  • User-Agent - Each of the known user agents, such Chrome, FireFox, etc. Wildcard (*) can NOT be set here.
  • HTTP Parameter - Specific HTTP parameter (not a value). Wildcard (*) can NOT be set here.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk