Response Body Filter Handler

Purpose

This handler is ignored in detection mode.

Removes or replaces specific character strings from the body of the response returned to the user by the server. This is used by the OWA Protection Wizard, for example, to deactivate JavaScript Code in the emails displayed to the user, by theBaseline Protection Wizard to block SQL error messages, and by the Payment Card Industry Wizard to make credit card number unrecognizable.

Generally speaking, you can always use the Response Body Filter Handler whenever you want to remove security-related data from the responses from the server. If an attacker does succeed in calling up security-related data, despite all the counter-measures in place, these are rendered unrecognizable by vWAF and the attacker can’t reach them.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Use the Response Body Filter Handler if you want to remove or replace specific character strings from responses. If, on the other hand, you want to block access when a specific character string occurs, you need to use the Invalid Body Text Handler.

Attributes

Attribute Meaning

replace content types

The Response Body Filter Handler carries out the replacements given in replace pattern only when the response has a specific content type (Internet Media Type, MIME Type).

Specify the content types for which the replacement is to be made.

Examples:

  • text/html

    HTML files (*.htm, *.html, *.shtml)

  • text/plain

    pure text files (*.txt)

replace pattern

In the left-hand column, enter the pattern to be replaced, and in the right-hand column, enter the pattern to be forwarded instead.

In this case, use Regular Expressions.

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.