Invalid Cookie Handler
Purpose
Similar to the arguments of input fields, cookies can also be manipulated and the manipulated values then used for an attack. The Invalid Cookie Handler prevents manipulated cookies from reaching your web application at all.
The Invalid Cookie Handler checks the attributes of the request to do this. The value of a cookie is only valid if it matches at least one of the regular expressions given under valid key value pattern and at the same time does not match any of the regular expressions given under invalid key value pattern.
If a value is invalid, vWAF denies the request with a configurable HTTP error code.
ATTENTIONAfter configuring and activating the Invalid Cookie Handler, thoroughly test the function of your web application once again to rule out unintended effects that may be caused by imprecise information given in the invalid key value pattern and valid key value pattern.
For more information regarding adding and editing Handlers, see Editing Handlers.
Severity
Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).
Recommendations for use
Use the Invalid Cookie Handler to validate the values of cookies. Depending on the security requirements, you can get by with a few general rules here, or invest a considerable amount of time in recording all cookies in your web application in great detail. Creating the whitelist (valid-key-value-pattern) requires detailed expertise relating to the web application being protected, but does offer a considerable increase in security. If no personalized user data is stored in the cookies, the simplest possible option is to permit only the values that are actually set by your web application, to the specific character.Attributes
Attribute | Meaning |
---|---|
match on raw cookie |
Usually, vWAF attempts to interpret all data in the same way as your web application would do. This means that it decodes data before it checks it. If, for any reason, you want to exercise the rules of the Invalid Cookie Handler on the raw cookie keys and values (undecoded), activate this option. |
ignore case invalid key value pattern |
Enable this option if you want the invalid key value pattern to apply to any combination of upper case and lower case letters. For example, the statement^hello$ then matches "hello" as well as "Hello", "HELLO" or "HeLLo". This can significantly simplify your regular expressions. |
invalid key value pattern |
Blacklist of regular expressions describing the pattern of invalid values. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. Each entry consists of two fields:
Example: The entry ^.*?=.*?http.*$ accepts any arguments for any cookies, but excludes those in which the character string http occurs. (For details on the syntax, see Regular Expressions.) You can toggle the display of the pattern fields by clicking the green arrow symbols next to the description fields. |
ignore case valid key value pattern |
Enable this option if you want the valid key value pattern to apply to any combination of upper case and lower case letters. For example, the statement ^hello$ then matches "hello" as well as "Hello", "HELLO" or "HeLLo". This can significantly simplify your regular expressions. |
valid key vale pattern |
Whitelist of regular expressions describing the pattern of valid values. Before the equal sign is the name of the cookie, and after the equal sign is the (valid) value. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. Some examples have already been entered by default. Delete these if required. Examples: The entry ^\w{1,63}=\w{1,63}$ accepts any values for cookies with names consisting of letters and numbers and a length between 1 and 63 characters, also consisting only of letters and numbers and with a length between 1 and 63 characters. The entry ^\w{1,63}=.*$ accepts any values for the same cookies, and the values can also be empty. (For details on the syntax, see Regular Expressions.) |
error code |
HTTP error code that vWAF returns when the request matches one of the regular expressions given under invalid key value pattern or doesn't match any of the regular expressions given under valid key value pattern. (For an overview of possible error codes, see HTTP Error Codes.) |
usertext |
Optional: Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave. |
enable logging |
Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries. When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications). |
For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.