Invalid Body Text Handler

Purpose

vWAF protects your web applications not only from outside but can also check the outgoing data stream at the same time. The Invalid Body Text Handler can on the one hand prevent unpleasant requests reaching your web application. On the other hand, it can also prevent security-relevant data leaving your server should an attack ever “successful” despite all the precautionary measures in place.

If the Body Text Handler detects an undesirable character string in the body of a request or a response, vWAF returns a configurable HTTP error code.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: high (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Use the Invalid Body Text Handler if you want to check the body of requests or responses and want to generate an HTTP error code in the event of a blacklist match.

If you only want to check responses and instead of generating an HTTP error code you want to delete or replace a specific character string, you need to use the Response Body Filter Handler.

To prevent the forwarding of credit card numbers specifically, you should use the Payment Card Industry Wizard.

Attributes

Attribute Meaning

requestTrigger Pattern

List of regular expressions describing the pattern of non-permissible requests.

Each entry consists of two fields:

  • A description that helps you to document and identify your settings easily. You can enter any text here.
  • The pattern itself. If a request matches one of the given patterns, vWAF returns the HTTP error code given under error code . (For details on the syntax, see Regular Expressions)

You can toggle the display of the pattern fields by clicking the green arrow symbols next to the description fields.

responseTrigger Pattern

List of regular expressions describing the pattern of non-permissible responses. If a response matches one of these patterns, vWAF returns the HTTP error code given under error code.

As with the attribute requestTriggerPattern, each pattern consists of a description field and the pattern itself.

For details on the syntax, see Regular Expressions.

content types

In order to achieve maximum performance, the handler only analyzes requests of the content types that are stated here.

errorcode

HTTP error code that vWAF returns when the request or the response matches one of the regular expressions given under requestTriggerPattern or responseTriggerPattern. (For an overview of possible error codes, see HTTP Error Codes.)

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.