Handlers
You can modify the security configuration of vWAF in detail on the level of individual handlers. For general information on using handlers, see Editing Handlers.
Global handlers always relate to an entire application. They aren’t explicitly passed on to paths but always executed, no matter which path a request relates to. Handler templates apply to an entire application as well. The settings of the handler template are inherited by the paths defined in the application. Inherited properties can be overwritten individually (see Types of Handlers and Attribute Inheritance for details). Individual handlers can also be added on path level.
vWAF provides a great variety of handlers for all security related tasks. If you want to perform custom checks or modifications for which vWAF doesn’t supply any standard handlers, you can use the Script Handler to run your own Python scripts.
Handler Group Connection
- Shortcut Handler (Global Handler)
Tells vWAF to ignore all other handlers for specific URLs. This can be used to increase performance for parts of your web application that are completely static and thus don’t involve the risk of an attack.
- Log Request Response Handler (Global Handler)
Logs all requests, including POST arguments, in a special log file, as well as response data. This information is used later by the Suggest Rules Wizard as the starting point for the suggested rules.
- Secure Connection Handler (Global Handler)
Prevents attacks on the SSL stack on the web server. If certain properties aren’t met, vWAF denies the request with a configurable HTTP error code.
Required by the Session Handler if an SSL session ID is to be used.
- ICAP Client Handler
Provides the possibility to integrate with an ICAP server.
- Log Configuration Handler
Allows additional information to be logged in the log files.
- Valid Client IP Handler
Validates the IP address of the client being queried using a list of valid IP address ranges. Requests with an invalid IP address are denied by vWAF with a configurable HTTP error code.
- Time Period Handler
Restricts the access to your web application or to parts of your web application (path) based on day of the week and time. Outside these permitted times, vWAF denies requests with a configurable HTTP error code.
- Limit Requests Per Second Handler
Limits the maximum number of requests to be processed per time unit. The calculation is based on the token bucket procedure. If the permitted contingent of pending requests is exceeded, vWAF denies further requests with HTTP error code 503 (Service Unavailable) until more tokens are available.
- Event Per IP Per Path Prefilter Handler
Special handler that triggers the Requests Per IP Per Path Per Timeframe Per Application Event Source. Only needed if this event source is to be used.
Handler Group Header
-
Checks the validity of a request to ensure that it observes the syntax rules of the HTTP protocol and HTML code. If the request contains syntax errors, vWAF denies the request with the HTTP error code 403 (Forbidden).
-
Limits the permitted HTTP methods for a request. Invalid requests are denied by vWAF with an HTTP error code conforming to the HTTP protocol.
-
Notes an evaluation of the risk potential for each request in the log file. The evaluation of these log file entries will help you later on to optimize the present security configuration even further.
-
Generates a virtual robots.txt file, which is then supplied as the result of the query of the URL /robots.txt. This makes any robots.txt file already included in your web application ineffective.
-
Checks requests for the presence of specific headers. If there’s no header of this type, vWAF denies the request with the HTTP error code 403 (Forbidden).
-
Checks that the HTTP agent header sent by the browser is permitted, using a blacklist and a whitelist. Non-permitted requests are denied by vWAF with a configurable HTTP error code.
-
When this handler is active, vWAF denies all requests with the HTTP error code 403 (Forbidden). Usually path-specific and only used temporarily.
-
Permits the dynamic generation of an HTTP redirect response as a response to the current request. If a request matches a predefined URL pattern, vWAF replaces this with a predefined character string.
-
Checks requests for manipulated cookies. If a cookie contains a non-permitted character string, vWAF denies the request with a configurable HTTP error code.
-
Response Header Security Handler
Enforces response header security options to improve client side security and prevent attacks such as content hosted by vWAF being embedded in frames in untrusted pages, cross site scripting and attacks based on browser MIME-type vulnerabilities.
-
Cross Origin Resource Sharing Handler
Checks and verifies, based on handler attributes and rules, whether or not to grant browser cross origin access to resources hosted by vWAF.
Handler Group Session
- Session Handler(Global Handler)
With an active Session Handler, vWAF establishes a separate, secure session between the web server and the client. A cryptographically secure session ID is transferred into a cookie in the process.
- Cookie Jar Handler (Global Handler)
Protects the cookies in your web application. Cookies are then no longer issued by the web server, but are stored by vWAF in the session created by the Session Handler. Protected cookies are therefore no longer forwarded to the client.
Must be used in combination with the Session Handler.
- OWA Protection Handler (Global Handler)
Protects the web application Microsoft Outlook Web Access in particular against brute force attacks and prevents access to third party mailboxes.
- Entry Point Handler (Global Handler)
Forces the web application to go to specific URLs. When landing on a different URL, vWAF diverts to a specified URL.
Only has an effect when the Session Handler is also active.
- Url Encryption Handler(Global Handler)
Implements session-specific encrypted URLs. Redirects the request to a defined main page if the first request within a session is onto a page that isn’t included in a defined entry point list. Dynamically encrypts all links to pages that are located below the main page in the directory structure.
- Referer Handler
Evaluates the HTTP referer header. In the event of access attempts with an undesirable HTTP referer, vWAF denies the request either with the HTTP error code 403 (Forbidden) or generates a redirect to a specific URL. Graylisting is possible as well. Only has an effect when the Session Handler is also active.
- Authentication Handler
Protects a path via authentication.
- Virtualize Form Field Handler
Encrypts form variables in POST requests with the help of the secure session ID generated by the Session Handler. This makes the field names unpredictable for an attacker.
Handler Group Input Protection
- Invalid Cookie Handler
Checks the URL given in a request. Requests with an invalid URL are denied by vWAF with a configurable HTTP error code.
- Content Type Handler
Limits the permitted content types for requests. Denies all requests that don’t state one of the configured content types.
- Whitelist Handler
Checks requests for manipulated arguments in input fields. vWAF accepts the request only if an argument matches a specified whitelist.
- Invalid Parameter Handler
Prevents manipulated URI parameters from reaching your web application.
- Invalid Args Handler
Checks requests for manipulated arguments in input fields. If an argument is invalid, vWAF denies the request with a configurable HTTP error code.
- Invalid Request Handler
Checks requests for invalid specifications of HTTP method, URI, arguments, parameters, header and body.
- Baseline Protection Handler
Implements the rules that are created automatically by the Baseline Protection Wizard.
- Invalid Body Text Handler
Checks the body of requests and responses for undesirable character strings. If this occurs, vWAF returns a configurable HTTP error code.
- Simple Form Protection Handler
Simplified form of the Invalid Args Handler. Also checks requests for manipulated arguments in input fields. If an argument is invalid, vWAF denies the request with a configurable HTTP error code.
- Protect Form Handler
Automatically scans all responses for hidden and protected form fields. By doing this, the handler automatically learns what these fields usually contain. If it later detects any suspicious discrepancy within a request, it denies this request with the HTTP error code 403 (Forbidden).
Handler Group Backend
- Hide Basic Auth Handler (Global Handler)
Lets an HTTP Basic Auth based authentication of the web server look like a session and form-based authentication to the user. Only has an effect if the Session Handler and the Cookie Jar Handler are also active.
- Application Virtualization Handler (Global Handler)
In requests, replaces one host name with another. As an option, also replaces the host name in responses if a specific content type is given in a response.
- Valid XML Handler
Returns an error code if XML data sent with a request don’t adhere to a specified DTD.
- Check HTML Syntax Handler
Verifies the syntax of the HTML code returned by your web application.
- Response Body Filter Handler
Removes or replaces specific character strings from the body of the response returned to the user by the server.
- Script Handler
Allows you to execute a Python script. This enables you to expand the scope of vWAF functions according to your specific requirements.
Internal System Handlers
In addition to the configurable handlers mentioned in the groups above, there are also a number of internal system handlers. These handlers can’t be manually configured and added to a ruleset. However, if they become active their names do appear in the log files (see Log File Entries).
- Block Traffic Handler
Generates a log file entry when a request has been denied because the traffic has been blocked in the application control (see Application Control).
- Bypass Ruleset Handler
Generates a log file entry when a request has been accepted because a ruleset has been deactivated in the application control.
- Malware Detection Handler
Internally needed for Malware detection.
- No Configuration Found Handler
Generates a log file entry if the host specified in a request didn’t match.
- No Customer Key Found Handler
Generates a log file entry if there’s a customer key specified in the enforcer options but you didn’t use this customer key for any application.
- No Matching Path Found Handler
Generates a log file entry if the host specified in a request was found, but no path matching the URL of the request is defined.
- Vulnerability Protection Handler
Internally needed for Vulnerability Management.