If you want to create an advanced custom rule to virtually patch your unique web application, you must understand the syntax of rule condition and filter action. This page explains the different rule conditions and filter actions. You may also refer to the basic guideline to write rules to learn more how to write a VasPatch rule.
The following syntax uses regular expression. So, you should have some basic understanding of Regular Expression.
What is a VasPatch rule?
Rule is set
of conditions and filter actions that used to filter particular malicious
requests. To target a specific vulnerabilities or malicious request,
administrator may have to understand and know how to set a rule with conditions
and filter actions.
Condition
Condition
is a set of patterns that used by our engine to identify if a request match the
required URL, request method, parameter or content. Administrator can set each
pattern one by one to make the condition much more specific to the actual
situation.
Match URL
Match the
exact vulnerable URL. URL includes context path and query, exclude the domain
and protocol.
For
example, the vulnerable URL is http://www.testing.com/form.html?id=4 . Then
select Match URL and enter “form.html?id=4” (exclude the quotes) in the text
field.
Match URL Regex
Match
the vulnerable URL in regular expression. URL includes context path and query,
exclude the domain and protocol.
For
example, the vulnerable URLs are http://www.testing.com/form.html?id=4 l and http://www.testing.com/form.html?id=5.
Then select Match URL Regex and enter “form\.html\?id=.*” (exclude the quotes) in
the text field.
Match Path
Match the
exact vulnerable URL path. Only the path has to be entered, exclude the domain
and protocol.
For
example, the vulnerable URL is http://www.testing.com/form.html. Then select
Match URL and enter “form.html” (exclude the quotes) in the text field.
Match Path Regex
Match
the vulnerable URL path in regular expression. Only the path has to be entered,
exclude the domain and protocol.
For
example, the vulnerable URLs are http://www.testing.com/form1.html and http://www.testing.com/form2.html.
Then select Match URL Regex and enter “form[12]\.html” (exclude the quotes) in the
text field.
Match Method
Match
the HTTP request method used in request of vulnerable URL. It should be either
POST or GET
For
example, the request of vulnerable URL is using POST method. Then select Match
Method and enter “POST” (exclude the quotes) in the text field.
Match Method in Regex
Match
the HTTP request method used in request of vulnerable URL in regular
expression.
For
example, the request of vulnerable URL is using both GET and POST method. Then
select Match Method and enter “(GET)|(POST)” (exclude the quotes) in the text
field.
Match Header
Match a
single header value in HTTP header of request message.
For example,
the request of vulnerable URL contains header value “Content-Type: application”.
Then select Match Header and enter “Content-Type: application” (exclude the
quotes and note that a whitespace after colon) in the text field.
Match Header Regex
Match a
single header value in HTTP header of request message in regular expression.
For
example, the request of vulnerable URL contains header value of Content-Type “application”
and any media type. Then select Match Header Regex and enter “Content-Type:
application/.*” (exclude the quotes and note that a whitespace after colon) in
the text field.
Match Body Parameter
Match a
single parameter name and parameter value pair of POST message body.
For
example, the vulnerable request POST message contain parameter name and value
like “name=testing”. Then select Match Body Parameter and enter “name=testing”
(exclude the quotes) in the text field.
Match Body Parameter Regex
Match a
single parameter name and parameter value pair of POST message body in regular
expression.
For
example, the vulnerable request POST message contain parameter name “name” with
any parameter value. Then select Match Body Parameter Regex and enter “name=.*”
(exclude the quotes) in the text field.
Another
example, the vulnerable request POST message contains parameter name “name1”
and “name2” with any parameter value. Then select Match Body Parameter Regex
and enter “name.*=.*” (exclude the quotes) in the text field.
Match Query
Match a
single parameter name and parameter value pair of request URL.
For
example, the vulnerable request URL contain parameter name and value like “name=testing”,
i.e. http://www.testing.com?name=testing. Then select Match Query and enter “name=testing”
(exclude the quotes) in the text field.
Match Query Regex
Match a
single parameter name and parameter value pair of request URL in regular
expression.
For
example, the vulnerable request URL contain parameter name “name” with any
parameter value. Then select Match Query Regex and enter “name=.*” (exclude the
quotes) in the text field.
Another
example, the vulnerable request URL contain parameter name “name1” and “name2”
with any parameter value. Then select Match Query Regex and enter “name.*=testing”
(exclude the quotes) in the text field.
Filter Action
Filter
action is the operation to be done when the request match the conditions of a
rule. Filter action will replace or update the original request URL, request
header or request body. Then the filtered request will pass to the web server. The
action could be specified depends on the needs.
Replace URL
Replace
the URL of the request by replacing original path with new path. It acts like
redirecting the vulnerable URL to a safe one.
For
example, to redirect the vulnerable URL to an error page “/error/index.html”,
select Update URL and enter “/error/index.html” (exclude the quotes) in the
text field.
Replace Query
Replace the parameter
value of a single parameter name-value pair of the URL request that match the
given parameter name.
For
example, in a URL, parameter “id=20” is vulnerable and “id=10” is safe. To
replace the parameter value, select Update Query and enter “id=10” (exclude the
quotes) in the text field.
Replace Method
Replace the HTTP
method of the request with the given method. (It is not recommend to change
HTTP method)
For
example, GET method of a request URL is vulnerable and POST should be used.
Then select Update Method and enter “POST” (exclude the quotes) in the text
field.
Replace Header
Replace a single header value in HTTP header
of request message.
For
example, the request of vulnerable URL contains header value “Content-Type:
application” and should change to “text”. Then select Match Header and enter “Content-Type:
text” (exclude the quotes and note that a whitespace after colon) in the text
field.
Replace Body Parameter
Replace the
parameter value of a single parameter name-value pair of POST request that
match the given parameter name.
For
example, in a POST URL, parameter “id=20” is vulnerable and “id=10” is safe. To
replace the parameter value, select Update Body Parameter and enter “id=10”
(exclude the quotes) in the text field.
Filter Query
Filter
all the given characters in parameter value of URL request that match the given
parameter name.
For
example, characters 't' 's' were suppose to be filtered in parameter “name” where "name=testing", then
select Update Query by Filter Character and enter “name=ts” (exclude the double
quotes) in the text field. The result will be"name=eing"
Filter Body Parameter
Filter
all the given characters in parameter value of POST request body that match the
given parameter name.
For
example, characters 't' 's' were suppose to be filtered in parameter “name” where "name=testing", then
select Update Body Parameter by Filter Character and enter “name=ts” (exclude
the double quotes) in the text field. The result will be "name=eing"
Replace URL String
Replace
word in request URL with any word.
For
Example, the vulnerable request URL is http://www.testing.com/test/index.html and should be redirect to error
page http://www.testing.com/test/error.html. Then select Replace Given String
in URL, enter “index=error” in (exclude the double quotes) in the text field.
