Glossary

Activation

In vWAF, activating means making a ruleset become effective so that it can analyze, log, and deny requests.

Admin node

In a cloud installation of vWAF an admin node (administration node) includes an administration master and a GUI server. See How vWAF Works.

Apache

Widely used open source HTTP server.

Application

In vWAF, so-called “applications” are a collection of settings and rulesets for a particular purpose. Applications in vWAF are not necessarily identical with the web applications that you want to protect. Several of your web applications may be handled by the same application in vWAF. But there may also be several applications in vWAF that handle distinct parts of a single web application. For details, see Application Mapping, Paths, Preconditions.

Application entry points

URLs where a normal user is intended to first access the website; usually the home page.

Application mapping

Application mapping maps your applications, and thus your rulesets, to -> Customer Key, -> Host, and -> Prefix. Essentially, application mapping determines which request is processed by which rulesets, and which settings are used. For details, see Application Mapping, Paths, Preconditions.)

Application policy

Rulesets and settings of an -> Application.

Argument

Parameter or command sent in the header of a request or in a URL.

Baseline

Baselines are the rules used in Baseline Protection. We frequently provide new baselines. For details, see Baseline Protection.

Baseline protection

Baseline protection provides instant protection with almost no configuration work. Essentially, baseline protection is a sophisticated regular-expression-based blacklist of generally known vulnerabilities and attacks. For details, see Baseline Protection

Basic auth

Basic access authentication. Method for an HTTP user agent to provide a user name and password. Uses static, standard HTTP headers. Transmitted credentials aren’t encrypted, therefore basic authentication is typically used in combination with HTTPS.

Blacklist

In contrast to a -> Whitelist, identifies something as not trustworthy. See also How Blacklists, Whitelists, and Graylists Are Processed

Brute force attack

Trying out all possible combinations of an input or a session ID, for example, to hit upon a valid input.

Capability

The capability determines which vWAF features are available for protecting an application in principle. It depends on your individual vWAF license which capabilities you can choose from. For more information, see Assigning Capabilities and Editing Applications.

Client

General term for computers and application programs that access resources and services on a server. The communication is usually carried out via a computer network. The server is generally located on a different computer from the client. A typical example of a client is a browser. A browser makes contact with a web server and requests a specific website from that server.

Command injection

Smuggling of commands to a third party system (database, LDAP server, operating system) via a web application that simply forwards these commands on to the third party system as pure data.

Committing

In vWAF, changes to application mapping and changes to rulesets are only saved permanently when you commit these changes. Essentially, committing means sending the changes to the database. For details, see Editing Application Mapping andCommitting and Activating Ruleset Changes.

Content length

Field within an HTTP header that specifies the number of bytes in the body of the request or response.

Content type

See -> MIME type.

Cookie

Small file, which a web server stores via the browser on the computer of the user. Each time a website is visited subsequently, these data packets are forwarded to the web server by the browser. Cookies can be used to save the user’s inputs or behavior, for example.

Cookie manipulation

Changing values of the cookies that the web application stores in the user’s browser to store a status. Usually, the browser should send these cookies back to the web application unchanged.

Cross site request forgery (CSRF, XSRF)

Smuggling in commands into an existing user session. These commands are then executed using the rights of the attacked user.

Cross site scripting

Exploitation of a security loophole by inserting information from one context to another context. This can be carried out, for example, by entering some JavaScript code into the input field, the content of which is to be displayed on a forum, and which is then run by the browser (for a detailed description, see the separate topic on Cross Site Scripting).

Customer key

Optional key that enforcers can sent for a decider to be able to identify a particular web server. Can be used to implement different handling for different customers. For details, see Application Mapping, Paths, Preconditions.

Decider

Component of vWAF that uses a set of guidelines stored in a configuration database to evaluate HTTP requests and make decisions on the actions to be taken. These are then implemented by the -> Enforcer.

Decider node

In a cloud installation of vWAF a decider node includes an admin slave and a decider. In addition, configuration, log files, and statistics are stored here. See How vWAF Works.

Deep linking

A website link to the content on a second, external site that wasn’t intended by the operator of the second site.

DELETE

One of various request methods supported by the HTTP protocol. Asks the server to delete the resource identified by the request URI. See also -> GET -> POST -> PUT.

Detection mode

In detection mode, vWAF monitors all requests as configured by the rules of the detection ruleset. vWAF writes all incidents to the log files, however it does not block any traffic. Typically this is used until a new or changed ruleset has been thoroughly tested. For details, see Detection Mode, Protection Mode.

DTD

Document Type Definition. An XML DTD defines what are the valid elements in a particular XML file, and what’s a valid structure of this file. A DTD can be declared inline inside an XML file or as an external reference.

Enforcer

Component of vWAF that captures every HTTP request and forwards it to the - > Decider for further investigation. The decisions made by the decider are then implemented by the enforcer: The HTTP request is accepted, modified or denied as appropriate.

Event destination

Event destinations determine the channels via which vWAF notifies you in the case of an event. For details, see Configuring Alerts.

Event source

Event sources are the occasions and conditions when vWAF alerts you. For details, see Configuring Alerts.

Full request logging

When full request logging is enabled for an application, vWAF logs the complete request header and the complete request body (up to a configurable size). You can later download the request headers and raw body data for further analysis. For details, see Editing Applications and Global Configuration.

GET

One of various request methods supported by the HTTP protocol. Designed to retrieve information from the server. As part of a GET request, some data can be passed within the URI’s query string, specifying, for example, search terms or other information that defines the query. See also -> DELETE > POST -> PUT.

Graylist

In contrast to a -> Whitelist and a -> Blacklist, the entries on a graylist are as yet unresolved as to whether something is trustworthy. This is only determined in a second evaluation stage. For details, see How Blacklists, Whitelists, and Graylists Are Processed.

Handler

Program routine that becomes active when a specific event occurs. Handlers defined in vWAF are program routines of the decider, which check the requests using the rules stored.

Hidden parameter manipulation

Changing of values that are present as hidden input fields on form pages. These are often used to save a status. Many web applications rely on the fact that the browser returns the values unchanged.

Host

Computer on a network on which one or more servers are operated (In colloquial language, hosts are often also known as “servers”). See -> Servers.

HTTP

Hypertext Transfer Protocol Protocol for transmitting data across a network, mainly used to transmit websites and other data from the Internet to a browser.

HTTP method

The HTTP protocol defines various methods to indicate the desired action to be performed. Request methods include -> DELETE, -> GET, -> POST, and -> PUT.

HTTP referer

See -> Referrer.

HTTP request

See -> Request.

HTTP response

See -> Response.

ICAP

Internet Content Adaptation Protocol. Lightweight HTTP-like protocol used for extending proxy servers. Transactions are processed by ICAP Web servers. These ICAP servers focus on a specific task, such as virus scanning, content filtering, translation, ad insertion, etc.

IIS

Microsoft Internet Information Services. Alongside Apache HTTP Server, one of the most widely used web servers.

IP address

Internet Protocol Address via which a computer on the Internet can be addressed. For details, see Specifying IP Addresses.

ISA

Microsoft Internet Security and Acceleration Server. Used in particular to make Exchange Server services available on the Internet, such as -> OWA.

J2EE

Java 2 Platform Enterprise Edition. Enterprise Java computing platform, providing an API and runtime environment for building and deploying Web-based enterprise applications online. This includes network and web services.

LDAP

Lightweight Directory Access Protocol. Standard application protocol used for accessing and maintaining distributed directory information services over an IP-based network. Can be used to share information about users, systems, services, etc. throughout the network. A common application of LDAP is to provide a “single sign on”, sharing one user password among multiple services.

Log file

A log file records events that happen at runtime. You can later use the log files for in-depth analysis, or you can archive them for documentation purposes. vWAF writes several log files, such as the application-specific log files, the Default Error Log, the Audit Log, and the Event Log. For details, see Monitoring Attacks, Statistics, Log Files, Reports.

Man-in-the-middle

In man-in-the-middle attacks, the attacker switches between the two communication partners, for example between a salesperson and a customer. By pretending to be the other party to both participants according to the Janus Principle, the attacker is able to redirect data streams to his own address.

MIME type

Internet media type (named after the specification “Multipurpose Internet Mail Extensions”). Standard identifier used to indicate the type of data that a file contains. Used by email clients and web browsers, for example, to display or handle files correctly that aren’t in HTML format.

The MIME type consists of a type, a subtype, and optional parameters. Type and subtype are separated by a slash (/). An HTML file, for example, can be identified as text/html; charset=UTF-8. In this example, text is the type, html is the subtype, and charset=UTF-8 is an optional parameter.

The type for Microsoft Word files, for example, is application and the subtype is msword. So, together the complete MIME type is application/msword.

Nginx

Open-source HTTP server, reverse proxy, and IMAP/POP3 proxy server.

OWA

Outlook Web Access. Service provided by the Microsoft Exchange Server. Using an interface designed to look very much like Outlook, emails, calendar, tasks, etc. can be edited from any computer with Internet access, regardless of location.

Path

Pattern created using -> Regular expression of specific URLS (see->URLs) for which specific handling rules in vWAF can be configured (see alsoApplication Mapping, Paths, Preconditions.

Payload

Actual body data of a request, that is the “useful” part without all sorts of metadata overhead that are only needed for delivery. In computer security, payload can also refer to that part of malware that performs a malicious action.

Pharming

Manipulating entries in the Internet’s DNS infrastructure. Here the conversion of a host name, such as online-banking.mybank.com, to the IP-based addressing used on the Internet is modified. Attackers can then divert the access to the bank’s page to their own server, resulting in the same effect as in a phishing attack.

Phishing

Pretending to be someone else (e.g. a bank) to prompt the victim to disclose sensitive data such as their account number, PIN and TAN to the attacker. Usually carried out using emails that encourage victims to click a URL given in an email and to enter their data there. Both the emails and the website are maintained in a familiar design, e.g. of the bank.

Plug-in

An extra or add-on module that’s “linked in” to another software product to add extra functions to that product.

Port

Address component in network protocols that assigns data segments to the correct services (protocols) and applications. In an address such as www.someurl.com:8080, 8080 is the port number.

POST

One of various request methods supported by the HTTP protocol. Asks a web server to store the data enclosed in the request message’s body. Often used when uploading files or when submitting completed web forms. A header field in the POST request usually indicates the message body’s -> MIME type. See also -> DELETE -> GET, -> PUT.

Precondition

Condition under which the -> Handlers stored for a -> Path become active. If multiple preconditions are defined for a path, all these preconditions must be met at the same time for vWAF to take the handlers defined for the path into account.

Prefix

You typically define Prefixes when you have different web applications on the same host, such as www.demo.com/shop and www.demo.com/blog. You can then set up different prefixes in vWAF such as /shop and /blog and map them to different -> Applications. For details, see Application Mapping, Paths, Preconditions.)

Protection mode

When an application is in protection mode, the rules of the ruleset are actually enforced. This means that requests are actually denied in the case of an attempted attack. For details, see Detection Mode, Protection Mode.

PUT

One of various request methods supported by the HTTP protocol. Asks the server to store the enclosed entity under the supplied URI. If the URI refers to an already existing resource, this asks the server to modify the resource. If the URI refers to a resource that doesn’t exists, the server is asked to create the resource with that URI. See also -> DELETE, -> GET, -> POST.

Python

Popular high-level programming language. Often used as a scripting language.

Redirect

Automatic forwarding to another -> URL.

Reduced argument logging

If reduced argument logging is active, vWAF removes all URL parameters from logged requests so that no confidential information is written to the log files. For details, see Editing Applications.

Reduced logging

If reduced logging is active for a host, vWAF doesn’t create a log file entry for each request on this host, but only if one of the configured handlers has been active. This can prevent the log files from growing too big for hosts with high traffic. For details, see Editing Applications.

Referrer

When a user clicks on a link or on a button on the web, the browser sends the URL of the page where this link was present in what’s known as the referrer field of the HTTP header. This means a web application is able to find out where the user has come from to reach the page currently selected. Even if this information can be easily manipulated, certain plausibility checks can still be carried out here and specific attacks from third parties detected.

Regular expression

Powerful syntax for describing specific character strings (for a detailed description, see separate reference topic Regular Expressions).

Request

Refers generally to a request for data. HTTP requests are defined in the -> HTTP protocol. For example, the GET method requests contents from a server.

Response

Response from the server to a -> Request. A response consists of a header with information on the server and meta data on the requested object. The actual data then follows in the body of the response.

REST

Representational State Transfer. Almost always uses the HTTP protocol. So-called RESTful applications use HTTP requests for posting data (creating, updating), reading data , and deleting data. Although widely used, REST is not a standard.

Ruleset

All security settings you make are always related to a specific application. vWAF manages separate rulesets for each application.

Selector

A selector specifies the conditions under which vWAF evaluates a ->Precondition as fulfilled. For this purpose, specific attributes are stored for each selector.

Server

Software that runs the tasks requested by the -> Client. (In colloquial language -> Hosts are often also known as “servers”.) A web server is a server that makes information available via the Hypertext Transfer Protocol (HTTP).

Session

A session is a sequence of related -> HTTP Requests from the user to a web application. A status is managed within a session, such as the content of a shopping basket in a shop system. As the HTTP protocol wasn’t originally designed for sessions, sessions are implemented separately by each web application. Each session is usually identified by a unique -> Session ID.

Session cookie

Sessions can be realized using -> Cookies. To do this, a unique session ID is saved in a cookie to recognize a client again on subsequent visits.

Session hijacking

Take-over of a user session by an attacker. The attacker can then make use of the user’s rights in the process.

Session ID

Identifies a session. The session ID is transmitted to the browser by a cookie and sent along with each HTTP request to the web application. All authentication and authorization information is linked to this session ID. An attacker who is able to guess someone else’s session ID is able to take actions as that user.

Session ID guessing

Guessing the value of the session ID of another user. This is always possible if the generation of the session ID on the web application side is not secure.

Shell script

Script for running on the operating system level, typically under Unix. Comparable to batch files used in Windows.

SNMP

Simple Network Management Protocol. Standard TCP/IP protocol for network management. Mostly used by network management systems for monitoring and mapping network-attached devices for network availability, performance, and errors. To work with SNMP, network devices use a distributed Management Information Base (MIB). Network management software can use SNMP commands to read and write data in each device’s MIB.

SNMP trap

Data package sent from the -> SNMP client to the server without being explicitly requested. This notifies the management station of significant events.

Spider

Also called Web crawler. Program that systematically browses the World Wide Web.

SQL

Structured Query Language. Standardized query language for defining, querying and manipulating data in relational databases. Supported by almost all standard database systems.

SQL injection

Form of attack in which SQL commands smuggled via input fields are used, for example, to query or modify databases.

SSL

Secure Socket Layer; encryption protocol originally developed by Netscape for secure data transmission between web server and browser.

Syslog

Standard for message logging. Supported by a wide variety of devices and across multiple platforms. The standardization makes it easy to integrate log data from various systems into one central repository.

Token bucket procedure

Ensures that a data stream doesn’t exceed a specific average over the long-term, but permits short-term data increases.

To do this, regularly calculated contingents are assigned for the data stream, which can be utilized or collected up to a specific limit. Literally speaking, this can be explained by imagining that tokens are being thrown into a bucket at regular intervals. When the bucket is full, no more tokens are given out.

For each data packet sent, tokens are again removed from the bucket. If there are no tokens left in the bucket, the contingent has been used up until more new tokens are added.

If less data is sent across a certain period than tokens are given out, these are collected in the bucket. This creates a credit balance, which allows larger quantities of data to be sent in the short term. In the long term, the transmission rate is limited by the rate at which tokens are given out, however. The size of the bucket determines the maximum credit balance that can be accumulated. This prevents the average data rate being exceeded across an excessively long period.

Update center

The update center (also referred to as update control center) provides a user interface for the Updater.

URI

Uniform Resource Identifier. Identifies the name of a resource to enable interaction with the resource over a network. The most common form of a URI is the uniform resource locator, the -> URL.

URL

Uniform Resource Locator. Identifies a resource via its primary access mechanism (generally HTTP or FTP) as well as a location. Informally this is also referred to as a “web address”. Example: http://www.mywebsite.com/demo.

User agent

Client used to access a network service, for example a browser. Many user agents send their name to the server in header rows during requests. This is why the term user agent is also used as a synonym for this parameter in an HTTP header.

Visual spoofing

Refers to an attack in which users are fooled into thinking that they’re in a trusted, secure environment. In reality, though, genuine elements of the browser have been replaced by falsified content on a manipulated website. For example, a “padlock icon” in shown in the status bar, even though there’s no secure HTTPS connection in place. Double-clicking on this icon opens a fake dialog window that displays a seemingly trustworthy certificate to the user.

Web application

Interactive Internet application with the functionality extending beyond the (static) display of individual pages. A web application is run on a web server. The interaction with the user is carried out entirely via a browser.

Web application firewall

Firewall that protects a web application from malicious requests or from requests that are unwanted for some other reasons. In addition, a web application firewall can also control the output of the web application. For example, it can filter out credit card numbers so that they don’t fall into the hands of an attacker even in the case of a “successful” attack.

Web client

See -> Client.

Web server

See -> Server.

Whitelist

In contrast to a -> Blacklist, identifies something as trustworthy. For details, see How Blacklists, Whitelists, and Graylists Are Processed.

Wizard

Sequence of interactive dialog windows that take the user through a complex task step by step. This means that the wizard divides a complex task into multiple, easy subtasks.

XML

eXtensible Markup Language. Encodes documents in a format that’s readable by both humans and machines. Used for a large variety of purposes.

XSS

See -> Cross Site Scripting and the reference topic Cross Site Scripting for more details.