Baseline Protection Wizard

(This option isn't available when the wizard is run for the first time for an application. In this case the wizard starts with Choose Baseline Version.) Select this option if you want to update the baseline to the most recent version.

If you applied manual changes to a configuration, the manual changes are not overwritten if you update a baseline. The wizard only adds definitions that do not affect your current manual settings.

(This attribute can only be configured if the option Update to latest version has not been activated.) Select this option to choose the baseline you want to apply.

Baseline Management allows you to view all the baseline rule definitions that are available in your local database.

(This attribute can only be configured if the option Update to latest version has not been activated.) Baseline Categories describe different types of attacks. Each baseline rule belongs to one of these categories. Select the required options to enable or disable baseline protection for the different types of attack (see Basics of Web Application Security and Glossary):

• Cross-Site Scripting (XSS)
• Code Injection
• LDAP Injection
• Shell Command Injection
• SQL Injection
• SQL Injection
• Path Traversal
• Common Attacks

For maximum security, we recommend you do not deactivate a category unless you are absolutely sure that your web application does not use any technology that is vulnerable to that category of attack, or if you manually configured appropriate handlers.

You can specify headers to be ignored by the Baseline Protection Hander. vWAF treats excluded headers as case insensitive (the case is ignored).

Note that the default header 'Referer' is added automatically.

If the Baseline Protection Handler was configured previously (prior to the release of the Baseline Protection Wizard excluded headers feature) and excluded headers were defined - the excluded headers are retained. Any new excluded headers that you define using the wizard are appended to the existing list.

Headers added here appear in the handler attribute: 'exclude_from_baseline_check'.

You can define arguments to be ignored by the Baseline Protection Handler.

Note that the default argument '__viewstate' is added automatically.

If the Baseline Protection Hander was configured previously (prior to the release of the Baseline Protection Wizard excluded arguments feature) and excluded arguments were defined - the excluded arguments are retained (any new excluded arguments that you define using the wizard are appended to the existing list).

New arguments added by the wizard can be entered and treated as case insensitive or case sensitive. By default, arguments are treated as case insensitive. This can be overridden, if required, using the Case Insensitive Arguments option below. If case sensitive arguments already exist (as part of a previous configuration), they are retained and the Case Insensitive Arguments option below is set to case sensitive.

Excluded arguments are added to the handler attribute: 'exclude_from_baseline_check'.

This determines whether or not arguments are treated as case insensitive or case sensitive. It sets the handler attribute: 'handle_excluded_args_case_insensitive'.

The Case Insensitive Arguments option is a global setting and applies to all arguments. Unless your baseline protection ruleset includes case sensitive arguments, it is recommended you keep the case insensitive (default) setting. However, if you require support for case sensitive arguments, you need to set this option to case sensitive.

If this is the first time set up of baseline protection for the application, the parameter is enabled by default (and recommended). It ensures argument attributes are treated as case insensitive.

New arguments added by the wizard are treated as case insensitive by default. However, if case sensitive arguments already exist (as part of a previous configuration), they are retained and all arguments are treated as case sensitive (the default is overridden).

(This attribute can only be configured if the option Update to latest version has not been activated.)

Baseline tags describe particular products or technologies that could be attacked. These include: XSS, ASP, Java LDAP, JSP, MySQL, Oracle, MS-Access, PHP, and MSSQL .

These tags are attached to baseline rules, if these rules are not generic for a category (for example, SQL Inject), and protect against attacks for a specific technologies (such as SQL injection against MySQL database). You enable the baseline tags required for your application. For example, select/deselect tags to ignore all the rules which are MySQL specific.

For maximum security, we recommend you do not disable a tag unless you are absolutely sure that your web application does not use this technology or if you manually configured appropriate handlers.

(This attribute can only be configured if the option Update to latest version has been activated and if this baseline version features new baseline categories.) Activate all categories that correspond to any scenario of attack that your web application might be vulnerable to. When in doubt, we recommend activating all new categories.

(This attribute is only available if a new Baseline Tag is included in an updated baseline.)

If a new Baseline Tag is available, you can choose to enable or disable the new tag.

For maximum security, we recommend you do not disable a tag unless you are absolutely sure that your web application does not use this technology or if you manually configured appropriate handlers.