Invalid Args Handler

Purpose

The arguments of input boxes are frequently used to launch a security attack, e.g. for SQL Injection. The Invalid Args Handler prevents manipulated arguments from reaching your web application at all.

To do this, the Invalid Args Handler checks the attributes of the request (both in the URL and in an HTTP POST Request). An argument is only valid if it matches at least one of the regular expressions given under valid key value pattern and at the same time does not match any of the regular expressions given under invalid key value pattern.

If an argument is invalid, vWAF denies the request with a configurable HTTP error code.

ATTENTION
After configuring and activating the Invalid Args Handler, thoroughly test the function of the input forms for your web application once again to rule out unintended effects that may be caused by imprecise information given in the invalid key value pattern and valid key value pattern.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: high. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Use the Invalid Args Handler to validate inputs. Depending on the security requirements, you can get by with a few general rules here, or invest a considerable amount of time in recording all input fields in your web application in great detail. Creating the whitelist (valid-key-value-pattern) requires detailed expertise relating to the web application being protected, but does offer a considerable increase in security.

You can also use the Suggest Rules Wizard to prompt vWAF to suggest automatic rules for the Invalid Args Handler.

A simpler alternative to the Invalid Args Handler, in particular for protecting email boxes, is also the Simple Form Protection Handler. As an another alternative you can also use the Whitelist Handler to specify a whitelist instead of a blacklist.

Several patterns are usually entered initially that don’t permit any complex attacks such as SQL Injection, Command-Injection or Cross Site Scripting:

The pattern ^\w[A-Za-z0-9_-]{1,32}=\w[A-Za-z0-9_ -]{1,32}$ for example, permits a maximum alphanumeric value of 32 characters in all input boxes with alphanumeric names (plus underscore and -) (for syntax see Regular Expressions). This means that all selection lists can usually be reproduced.

It becomes problematic when entering names, passwords and free text. Here you should create a separate valid key value pattern for each form field. The following pattern would be suitable for a password input box, for example:

^password=.{0,32}$.

This means that a field with the name password may have a value up to 32 characters of choice.

Interaction with other handlers

The Invalid Args Handler ignores arguments that have already passed the Whitelist Handler.

Attributes

Attribute	Meaning
max allowed arguments	To prevent attacks that exploit interpretation errors of scripting languages, such as hash collision attacks, you can use this attribute to limit the number of a request's arguments. vWAF denies a request if there are more request arguments than the given number allows. The default value is 100. To allow an unlimited number of arguments, set the value to 0.
exclude from blacklist	List of regular expressions describing the pattern of form fields (keys) that are to be excluded from the blacklist check. The blacklist stated under invalid key value pattern is ignored for these keys. Also these keys are allowed to occur multiple times even if the option reject duplicate keys is enabled. (For details on the syntax, see Regular Expressions.)
ignore case invalid key value pattern	Enable this option if you want the invalid key value pattern to apply to any combination of upper case and lower case letters. For example, the statement `^hello$` then matches "hello" as well as "Hello", "HELLO" or "HeLLo". This can significantly simplify your regular expressions.
invalid key value pattern	Blacklist of regular expressions describing the pattern of invalid arguments. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. Each entry consists of two fields: A description that helps you to document and identify your settings easily. You can enter any text here. The pattern itself. First, enter the name of the form field, followed by an equal sign and by the (invalid) argument. Example: The entry `^.?=.?http.*$` accepts any arguments for any form fields, but excludes those in which the character string http occurs (e.g. to prevent program code being reloaded by third party websites - possible with PHP). (For details on the syntax, see Regular Expressions.) You can toggle the display of the pattern fields by clicking the green arrow symbols next to the description fields.
ignore case valid key value pattern	Enable this option if you want the valid key value pattern to apply to any combination of upper case and lower case letters. For example, the statement `^hello$` then matches "hello" as well as "Hello", "HELLO" or "HeLLo". This can significantly simplify your regular expressions.
valid key value pattern	Whitelist of regular expressions describing the pattern of valid arguments. Before the equal sign is the name of the form field, and after the equal sign is the (valid) argument. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. Some examples have already been entered by default. Delete these if required. Examples: The entry `^\w{1,63}=\w{1,63}$` accepts any arguments for form fields with field names consisting of letters and numbers and a length between 1 and 63 characters, also consisting only of letters and numbers and with a length between 1 and 63 characters. The entry `^\w{1,63}=.*$` accepts any arguments for the same form fields, and the arguments can also be empty. (For details on the syntax, see Regular Expressions.)
reject duplicate keys	Activate this option to protect your web application against HTTP Parameter Pollution. If this option is enabled, vWAF denies all requests that include duplicate keys. There is no check for the parameters given in the attribute exclude from blacklist. These parameters are allowed to occur multiple times.
error cod	HTTP error code that vWAF returns when the request matches one of the regular expressions given under invalid key value pattern or doesn't match any of the regular expressions given under valid key value pattern. (For an overview of possible error codes, see HTTP Error Codes)
usertext	Optional: Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.
enable loggig	Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries. When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.