Virtualize Form Field Handler

Purpose

The Virtualize Form Field Handler only has an effect when the Session Handler is also active. In detection mode, the Virtualize Form Field Handler is ignored.

The Virtualize Form Field Handler encrypts form variables in POST requests with the help of the secure session ID generated by the Session Handler. This makes the field names unpredictable for an attacker.

The Simple Form Protection Handler and Protect Form Handler perform a similar function but using different methods.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: medium. (For details on severity levels, see Severity of Events Triggered by Handlers ).

Recommendations for use

Enable the Virtualize Form Field Handler to prevent Cross Site Request Forgery (CSRF, XSRF). The unpredictability of field names also makes it more difficult for trojans to extract usernames and passwords.

Attributes

Attribute	Meaning
content types	Specifies the content types of requests, for which vWAF should encrypt the variables.
whitelist	Optional: Here you can specify a whitelist of form fields that aren't to be encrypted by the Virtualize Form Field Handler.
virtualize GET forms	By default the Virtualize Form Field Handler encrypts form variables in POST requests. When the option virtualize-GET-forms is enabled, the handler also virtualizes forms sent via the GET method. Usually this isn't recommended as it may result in conflicts with the standard URL syntax.
allow decoding errors	If this option is enabled, vWAF hands over data that's stored in unencrypted variables to the web application, even if these variables aren't on the whitelist. ATTENTION For security reasons, this is generally not recommended. Your web application is then fully responsible to take care of the issue.
redirect tampering	If this option is enabled, when vWAF detects any form field tampering it redirects to the URL specified in the attribute redirect page.
redirect page	URL of the page that vWAF redirects to if it detects any form field tampering.
usertext	Optional: Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.
enable logging	Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries. When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.