DenyRules

microgateway.airlock.com/v1alpha1

DenyRules configures request filtering using Airlock built-in and custom deny rules. Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. To handle possible false positives, lower the security level or define fine-granular deny rule exceptions If undefined, default settings are applied, designed to work with most upstream web application services.

apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
  name: deny-rules-example
spec:
  request:
    builtIn:
      settings:
        # Use the deny rules in security level 'Strict'
        level: Strict
        # Explicitly set the 'threatHandlingMode' to 'Block'
        threatHandlingMode: Block
      overrides:
        # Set the deny rule security level to 'Standard' for
        # the deny rule 'XSS' if it is applied to request parameters.
        - conditions:
            ruleKeys:
              - XSS
            types:
              - Parameter
          settings:
            level: Standard
      exceptions:
        # Define a deny rule exception for the deny rule 'SQL'
        # for the query parameter 'search' under the path '^/member/'.
        - blockedData:
            parameter:
              name:
                matcher:
                  exact: search
              source: Query
          requestConditions:
            path:
              matcher:
                prefix: /member/
            method:
              - GET
          ruleKeys:
            - SQL
    custom:
      rules:
        # Define a custom deny rule which blocks requests
        # containing a 'referer' header matching the regex '.*bad.tv'.
        - ruleKey: CM_REFERRER_BLOCK
          blockData:
            header:
              name:
                matcher:
                  exact: referer
              value:
                matcher:
                  regex: .*bad.tv
apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
  name: default
spec: 
  request: 
    builtIn: 
      settings: 
        level: Standard
        threatHandlingMode: Block
    custom: {}

DenyRules

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of the desired deny rules behavior. no

DenyRules.spec

Field Type Description Required Default Allowed Values
request object Request configures deny rules for downstream requests. no

DenyRules.spec.request

Field Type Description Required Default Allowed Values
builtIn object BuiltIn configures the built-in deny rules. no
custom object Custom allows configuring additional deny rules. no

DenyRules.spec.request.builtIn

Field Type Description Required Default Allowed Values
exceptions object[] Exceptions allows to define exceptions for specific requests and deny rules. no
overrides object[] Overrides allows to override the builtIn settings for specific deny rules. no
settings object Settings contains the keys which will be adjusted. no

DenyRules.spec.request.builtIn.exceptions[]

Field Type Description Required Default Allowed Values
blockedData object BlockedData defines an exception based on the request data causing the block. This can either be a parameter, header, path or JSON property. no parameter{}, header{}, path{}, json{}
requestConditions object RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. no
ruleKeys DenyRuleKey[] RuleKeys restricts the exception to a set of deny rules. no SCANNING, IDOR, ENCODING, HTML, HPP, EXPLOIT, LDAP, NOSQL, OGNL, PHP, PROTOCOL, SANITY, SQL, TEMPLATE, UNIXCMD, WINCMD, XSS

DenyRules.spec.request.builtIn.exceptions[].blockedData

Field Type Description Required Default Allowed Values
header object Header defines an exception based on a blocked header. Only one of parameter, header, path or json can be set. no
json object JSON defines an exception based on a blocked JSON property. Only one of parameter, header, path or json can be set. no
parameter object Parameter defines an exception based on a blocked parameter. Only one of parameter, header, path or json can be set. no
path object Path defines an exception based on the blocked path. Only one of parameter, header, path or json can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json

Field Type Description Required Default Allowed Values
jsonPath string JSONPath defines the JSONPath pattern to match the path within the JSON. no
key object Key defines the key of the JSON property. At most one of key and value can be set. no
value object Value defines the value of the JSON property. At most one of key and value can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter

Field Type Description Required Default Allowed Values
name object Name defines the name of a parameter. no
source enum Source defines the source of the parameter. no Any Query, Post, Any
value object Value defines the value of a parameter. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

DenyRules.spec.request.builtIn.overrides[]

Field Type Description Required Default Allowed Values
conditions object Conditions select which built-in deny rules’ settings will be adjusted. no
settings object Settings override the corresponding properties for the selected rules. no

DenyRules.spec.request.builtIn.overrides[].conditions

Field Type Description Required Default Allowed Values
ruleKeys DenyRuleKey[] RuleKeys is a list of built-in deny rule names. no SCANNING, IDOR, ENCODING, HTML, HPP, EXPLOIT, LDAP, NOSQL, OGNL, PHP, PROTOCOL, SANITY, SQL, TEMPLATE, UNIXCMD, WINCMD, XSS
types enum[] Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. no Header, Parameter, Path, JSON

DenyRules.spec.request.builtIn.overrides[].settings

Field Type Description Required Default Allowed Values
level enum Level specifies the filter strength. no Unfiltered, Basic, Standard, Strict
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled. no Block, LogOnly

DenyRules.spec.request.builtIn.settings

Field Type Description Required Default Allowed Values
level enum Level represents a set of deny rules with different filter strengths. no Standard Unfiltered, Basic, Standard, Strict
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a deny rule matches. no Block Block, LogOnly

DenyRules.spec.request.custom

Field Type Description Required Default Allowed Values
rules object[] Rules defines list of additional deny rules. no

DenyRules.spec.request.custom.rules[]

Field Type Description Required Default Allowed Values
blockData object BlockData specifies the request data which should cause a block. yes parameter{}, path{}, header{}, json{}
requestConditions object RequestConditions defines additional request properties which must be matched in order for this rule to apply. no
ruleKey string RuleKey defines a technical key for the deny rule. Must be unique. yes
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a deny rule matches. no Block Block, LogOnly

DenyRules.spec.request.custom.rules[].blockData

Field Type Description Required Default Allowed Values
header object Header specifies to block requests containing a matching header. Only one of parameter, path, header or json can be set. no
json object JSON specifies to block requests containing a matching JSON property in the body. Only one of parameter, path, header or json can be set. no
parameter object Parameter specifies to block requests containing a matching parameter. Only one of parameter, path, header or json can be set. no
path object Path specifies to block requests with a matching path. Only one of parameter, path, header or json can be set. no

DenyRules.spec.request.custom.rules[].blockData.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.custom.rules[].blockData.header.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.json

Field Type Description Required Default Allowed Values
key object Key defines the key of a JSON object. no
value object Value defines the value of a JSON object. no

DenyRules.spec.request.custom.rules[].blockData.json.key

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.json.key.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.json.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.json.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.parameter

Field Type Description Required Default Allowed Values
name object Name defines the name of a parameter. no
value object Value defines the value of a parameter. no

DenyRules.spec.request.custom.rules[].blockData.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.parameter.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.parameter.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.path

Field Type Description Required Default Allowed Values
matcher object Matcher specifies which path to block. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request. no

DenyRules.spec.request.custom.rules[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.custom.rules[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

Default Deny Rule Keys

Key Name Description
SCANNING Automated Scanning Prevents automated scanning with standard tools by blocking associated headers and parameters which are used to probe an application. Activated on all security levels.
IDOR Insecure Direct Object Reference in Path and Parameter Values Prevents insecure direct object references and file inclusion for HTTP paths and parameter values.
An insecure direct object reference (IDOR) is a publicly exposed identifier that can be used for direct access to internal objects and is not subject to access control.

As an example, we use a well-known type of an IDOR exploit, the directory traversal attack. Consider a url where part of the page content is fetched from a file on the server using the relative path in the 'file' parameter, e.g.
https://some-website.org/show-file-content?file=content.html
In this example, the 'file' parameter is the direct object reference. Unless this parameter is validated or sanitized, an attacker could gain access to files, that are not supposed to be accessible via the url, by changing the value of the 'file' parameter. For instance to retrieve the /etc/passwd file an attacker could move from the directory where the website files are stored to the root directory of the server:
https://some-website.org/show-file-content?file=../../etc/passwd

For paths:
The security level Basic and Standard prevents directory traversal and injection of certain critical files (e.g. .htaccess).
The security level Strict further prevents injection of file paths with critical suffixes (e.g. .exe).
For parameter values:
The security level Basic prevents directory traversal and injection of certain critical files (e.g. /etc/passwd).
The security level Standard prevents injection of known top level directory paths (e.g. /etc/) and critical protocol schemes (e.g. "php://").
The security level Strict further prevents injection of file paths with critical suffixes (e.g. .exe) any absolute Windows and UNIX directory path, any protocol scheme or path in universal naming convention format.
ENCODING Encoding and Conversion Exploits in Header and Parameter Value Prevents injection of special encoded characters, such as double URL encoded characters in header values.
Prevents the Java MIN_VALUE floating point attack in header and parameter values on all security levels.
HTML HTML Injection in Path, Header and Parameter Value Prevents HTML injection through HTTP paths, header and parameter values.
Similar to a Cross-Site Scripting (XSS) attack, a HTML injection attack injects HTML into a website, which is then loaded and executed by unsuspecting users visiting the compromised site. This way, an attacker can modify the page content and for example embed malicious links or try to phish users. HTML injection vulnerabilities occur when unsanitized user input is stored or reflected as part of the web page. This often happens on websites allowing users to upload posts or add comments.
An unquoted context attack occurs when user input is directly interpreted as HTML.
A quoted context attack occurs when user input is put within quotes. In the following example, a user can supply the url to an image, which is then displayed on the website:
<img src="USER_INPUT">
An attacker can "break out" of the string and perform a HTML injection with the payload
"> <h1>This is a HTML injection</h1
This results in the combined HTML
<img src=""> <h1>This is a HTML injection</h1
and the injection is displayed on the vulnerable website.

The security level Basic does not prevent any HTML injection. The security level Standard prevents injection of well known HTML tags (e.g. <img src="path">) as well as injection of well known HTML attribute names in a single or double quoted attribute value (e.g. ' href="url"). The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.
HPP HTTP Parameter Pollution Prevents HTTP parameter pollution by blocking nested parameters in parameter values on security level Strict.

In a HTTP parameter pollution (HPP) attack, an attacker injects or supplies multiple HTTP parameters with the same name, which may be interpreted by an application in unexpected ways. As handling of multiple parameters with the same name is not standardized, different technologies usually choose to only consider the first or last parameter value, or concatenate the parameter values in various ways.
Both client-side and server-side HPP attacks exist and some consquences are application errors, modification of internal state, or the bypassing of input validations and WAF filters. For example, in some cases it is possible to disguise attack payloads in multiple parameter values, thus avoiding detection by a WAF, which are later concatenated by an application thereby triggering the attack.
EXPLOIT Known Exploits Protects against te exploitation of specific bugs and vulnerabilities by preventing the injection of special payloads not covered by the other Deny Rules.
For instance, prevents attacks targeting the Spring4Shell vulnerability.
LDAP LDAP Injection in Header and Parameter Value Prevents LDAP(Lightweight Directory Access Protocol) query injection in header and parameter values.
In an LDAP injection an attacker tries to leak or modify sensitive data represented in a LDAP data store. This is possible when an application accesses data using LDAP search filters containing unsanitized user input.

Security level Standard prevents the injection of new logical operations NOT, AND, OR.
The security level Strict further prevents injecting new comparison operations e.g. 'equal to', or 'greater than or equal to'.
NOSQL NoSQL Injection in Header Value and Parameter Name and Value Prevents NoSQL injection in header values and in parameter names and values on security level Standard and Strict.

For a more detailed explanation of query injections, see the SQL description.

As a simplified example of a NOSQL injection, consider an unsecure login form where users can input their username and password. The user input is passed to the MongoDB query
db.users.find({username: <USER_INPUT.username>, password: <USER_INPUT.password>})
An attacker can enter the username 'admin' and the password '{$ne: ""}' to construct the query
db.users.find({username: admin, password: {$ne: ""}})
which will return the first document where username is 'admin' and the password is non-empty. This way the attacker can bypass the login and enter the website without knowing the password.

The security levels Standard and Strict prevent the injection of keywords, functions, and operators of common NoSQL databases (e.g. MongoDB). In particular, they prevent injection attempts that are part of JSON objects or PHP arrays,.
OGNL Object Graph Navigation Library (OGNL) injection (Apache Struts) Prevents OGNL injection on all security levels.
Similar to other injection attacks, e.g. SQL injection, in an OGNL injection attack, an attacker sends malicious requests containing OGNL expressions to a vulnerable application. If the application uses OGNL to handle unvalidated user input, the OGNL expressions in the request are interpreted, which may result in arbitrary code execution, data theft, or other security concerns.
PHP PHP Injection in Header Value and Parameter Value Prevents PHP code injection in header and parameter values.
Similar to other injection attacks, e.g. SQL injection or UNIX command injection, a PHP code injection attack can occur when unsanitized user input is forwarded to a system that interprets PHP.
In particular, by injecting PHP script tags (e.g. <?php ... ?>) an attacker might be able to execute arbitrary PHP code on the server.
All security levels prevent the injection of standard PHP script tags. Additionally, security level Standard and Strict prevent injection of shortened and legacy PHP script tags.
PROTOCOL HTTP Protocol Integrity Prevents HTTP response splitting by blocking injection of an HTML response body or response header.

HTTP response splitting can occur when user input from an HTTP request is returned in the HTTP response without being validated.
As an example, imagine a website that allows users to set a cookie (using the 'set-cookie' parameter), which is returned in the headers of the HTTP response:
https://www.some-website.com/?set-cookie=something
If an attacker can insert carriage return and line feed characters, they are able insert new headers, write a response body, or create a second malicious HTTP response entirely. Using HTTP response splitting an attacker may perform cross-site scripting, web cache poisoning, or similar attacks.
SANITY Sanity of Header and Parameter Prevents injection of non-printable and special encoded characters, as well as invalid unicode and formats in header names and values.
SQL SQL Injection (SQLi) in Header and Parameter Value Prevents SQL injection for header and parameter values.
In an SQL injection attack, an attacker tries to execute malicious SQL queries in order to leak or corrupt sensitive data. This is possible when an application forwards unsafe and improperly sanitized user input to a database.
As an example of a SQL injection attack one can imagine the website of an online shop. Users can input text into a search bar to find items in the inventory. The search bar forwards the user input to its inventory database with the following statement:
SELECT * FROM inventory WHERE item_name = "<user input>";
An attacker could exploit this using the attack payload
"; DROP TABLE inventory; --
which would result in the execution of the following two queries and thus the deletion of the inventory:
SELECT * FROM inventory WHERE item_name = ""; DROP TABLE inventory; --";
When user input is placed inside quotes, like in the example above, we call that a quoted context. Otherwise, we talk about an unquoted context. In general, it is slightly harder to exploit the quoted context, because an attack is interpreted as a simple string, unless the attacker "breaks out" of the quotes.

The security level Basic prevents injection of - input that tries to terminate a previous statement and adds new SQL statements (e.g. ; DROP TABLE) - set operations (e.g. UNION SELECT) - SQL statements obfuscated as C-style comments which can be interpreted as regular SQL by MySQL and MariaDB in any context.
The security level Standard further prevents injection of SQL sub queries and SQL expressions in quoted context (e.g. ' or 1=1--).
The security level Strict further prevents SQLi in unquoted context (e.g. 1 or 1).
TEMPLATE Template and Expression Language Injection Prevents template and expression language injections for various client-side and server-side templating engines on security levels Standard and Strict.
UNIXCMD UNIX Command Injection in Header and Parameter Value Prevents UNIX command injections through HTTP header and parameter values.
In an OS command injection attack, the goal of the attacker is to execute arbitrary OS commands on a vulnerable hosts. This is possible if an application forwards user-input to a system shell in an unsafe (unsanitized) manner.
The security level Basic prevents exploitation of the shellshock bug (also known as bashdoor).
There are different flavours of command injection attacks, depending on the context where user input is fed to the shell.
In a quoted context, the user input is placed inside quotes, usually intended as a parameter for another command. For example, an application on a UNIX system might feed user input to the "ls" command, like so:
ls "<some user input>"
This is called a quoted context attack, because the injection string is placed inside a quoted context. Consider the input
"; <some command> #
which, if placed inside the context, becomes
ls ""; <some command> #"
<some command> can now be replaced by any command of the attackers choice, and will be executed on the system.
The security level Standard prevents injection of (what we consider) critical UNIX commands in quoted context (e.g. ";cat /etc/password #).
In unquoted contexts, the attackers input is directly interpreted as a command, without the need for a context breakout. Security level Strict additionally blocks a wider range of obfuscated UNIX commands in quoted contexts and prevents command injection in unquoted context (e.g. ; cat /etc/password).
WINCMD Windows Command Injection in Header and Parameter Value Prevents Windows command injections through HTTP header and parameter values.
For a more detailed explanation of OS command injection, see UNIXCMD.
Security level Standard provides protection against Windows command injection in a quoted context. The security level Strict extends this protection to unquoted contexts.
XSS Cross-Site Scripting (XSS) in Path, Header and Parameter Value Prevents Cross-Site Scripting attacks for paths, header and parameter values.
In a Cross-Site Scripting (XSS) attack, an attacker injects code (often JavaScript) into a website. This code is then loaded and executed by unsuspecting users visiting the compromised site. An example is that of a Web Forum where a malicious user creates a post containing carefully designed text. When other users visit the forum, their browsers will interpret the text as JavaScript and execute it. Depending on the injected code, this can lead to session or credential stealing, or delivery of malware to the victims machine.
There are many forms of XSS attacks depending on the position of the injection in the context of the original webpage's HTML
If the code is injected at a location where it is not directly interpreted as a JavaScript statement, the attack must include additional instructions to indicate that the code should be interpreted as JavaScript. Often, this is achieved using <script> tags or HTML event handlers, e.g. "onload". The security level Basic prevents injection of <script> tags and known HTML event handlers.
In a so-called "quoted context attack" an attacker finds a way to inject directly into a context that is already interpreted as JavaScript, and the attack becomes much easier to perform. This can happen, if, for example, user input is directly fed into a JavaScript variable:
var f = "<some user input>"
This is called a quoted context attack, because the injection string is placed inside a quoted context. For the attack to be successful, the attacker still needs to perform what is called a "context breakout" to do anything useful. The security level Standard prevents injection of JavaScript code in quoted context.
An unquoted context attack occurs when user input is directly interpreted as plain javascript (not inside a variable assignment or similar). This attack is easier to perform and harder to detect than a quoted context attack. The security level Strict prevents injection of JavaScript code in unquoted context.