DenyRules
microgateway.airlock.com/v1alpha1
DenyRules configures request filtering using Airlock built-in and custom deny rules.
Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application.
To handle possible false positives, lower the security level or define fine-granular deny rule exceptions
If undefined, default settings are applied, designed to work with most upstream web application services.
apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
name: deny-rules-example
spec:
request:
builtIn:
settings:
# Use the deny rules in security level 'Strict'
level: Strict
# Explicitly set the 'threatHandlingMode' to 'Block'
threatHandlingMode: Block
overrides:
# Set the deny rule security level to 'Standard' for
# the deny rule 'XSS' if it is applied to request parameters.
- conditions:
ruleKeys:
- XSS
types:
- Parameter
settings:
level: Standard
exceptions:
# Define a deny rule exception for the deny rule 'SQL'
# for the query parameter 'search' under the path '^/member/'.
- blockedData:
parameter:
name:
matcher:
exact: search
source: Query
requestConditions:
path:
matcher:
prefix: /member/
method:
- GET
ruleKeys:
- SQL
custom:
rules:
# Define a custom deny rule which blocks requests
# containing a 'referer' header matching the regex '.*bad.tv'.
- ruleKey: CM_REFERRER_BLOCK
blockData:
header:
name:
matcher:
exact: referer
value:
matcher:
regex: .*bad.tv
apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
name: default
spec:
request:
builtIn:
settings:
level: Standard
threatHandlingMode: Block
custom: {}
DenyRules
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
spec | object | Specification of the desired deny rules behavior. | no |
DenyRules.spec
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
request | object | Request configures deny rules for downstream requests. | no |
DenyRules.spec.request
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
builtIn | object | BuiltIn configures the built-in deny rules. | no | ||
custom | object | Custom allows configuring additional deny rules. | no |
DenyRules.spec.request.builtIn
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
exceptions | object[] | Exceptions allows to define exceptions for specific requests and deny rules. | no | ||
overrides | object[] | Overrides allows to override the builtIn settings for specific deny rules. | no | ||
settings | object | Settings contains the keys which will be adjusted. | no |
DenyRules.spec.request.builtIn.exceptions[]
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
blockedData | object | BlockedData defines an exception based on the request data causing the block. | no | parameter{} , header{} , path{} , pathSegment{} , json{} |
|
requestConditions | object | RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. | no | ||
ruleKeys |
DenyRuleKey[] | RuleKeys restricts the exception to a set of deny rules. | no | ENCODING , EXPLOIT , HPP , HTML , IDOR , LDAP , NOSQL , OGNL , PHP , PROTOCOL , SANITY , SCANNING , SQL , TEMPLATE , UNIXCMD , WINCMD , XSS |
DenyRules.spec.request.builtIn.exceptions[].blockedData
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
header | object | Header defines an exception based on a blocked header. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
json | object | JSON defines an exception based on a blocked JSON property. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
parameter | object | Parameter defines an exception based on a blocked parameter. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
path | object | Path defines an exception based on the blocked path. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
pathSegment | object | PathSegment defines an exception based on a blocked path segment. Only one of parameter, header, path, pathSegment or json can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.header
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
name | object | Name defines the name of a header. | no | ||
value | object | Value defines the value of a header. | no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.json
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
jsonPath |
string | JSONPath defines the JSONPath pattern to match the path within the JSON. Expressions in JSONPath i.e. ?(expr) are not supported. |
no | ||
key | object | Key defines the key of the JSON property. At most one of key and value can be set. |
no | ||
value | object | Value defines the value of the JSON property. At most one of key and value can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
name | object | Name defines the name of a parameter. | no | ||
source |
enum | Source defines the source of the parameter. | no | Any |
Query , Post , Any |
value | object | Value defines the value of a parameter. | no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.path
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.path.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
segments | object | Segments defines the position of a segment within the path. | no | index{} |
|
value | object | Value defines the value of a path segment. | no |
DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment.segments
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
index |
int | Index specifies an exact path segment position by index (0-based). | no | [0, 9223372036854775807] |
DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].requestConditions
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
header | object | Header defines the matching headers of a request. | no | ||
invert |
bool | Invert indicates whether the request condition should be inverted. | no | false |
true , false |
mediaType | object | MediaType defines the matching media type from the content-type header of a request. | no | ||
method |
enum[] | Method defines the matching methods of a request. | no | GET , HEAD , POST , PUT , PATCH , DELETE , CONNECT , OPTIONS , TRACE |
|
path | object | Path defines the matching path of a request. | no | ||
remoteIP | object | RemoteIP defines the matching remote IPs of a request. | no |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.header
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
name | object | Name defines the name of a header. | no | ||
value | object | Value defines the value of a header. | no |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.path
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.path.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.builtIn.exceptions[].requestConditions.remoteIP
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
cidrRanges |
string[] | CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28 . |
yes | ||
invert |
bool | Invert indicates whether the match should be inverted. | no | false |
true , false |
DenyRules.spec.request.builtIn.overrides[]
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
conditions | object | Conditions select which built-in deny rules’ settings will be adjusted. | no | ||
settings | object | Settings override the corresponding properties for the selected rules. | no |
DenyRules.spec.request.builtIn.overrides[].conditions
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
ruleKeys |
DenyRuleKey[] | RuleKeys is a list of built-in deny rule names. | no | ENCODING , EXPLOIT , HPP , HTML , IDOR , LDAP , NOSQL , OGNL , PHP , PROTOCOL , SANITY , SCANNING , SQL , TEMPLATE , UNIXCMD , WINCMD , XSS |
|
types |
enum[] | Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. | no | Header , Parameter , Path , PathSegment , JSON |
DenyRules.spec.request.builtIn.overrides[].settings
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
level |
enum | Level specifies the filter strength. | no | Unfiltered , Basic , Standard , Strict |
|
threatHandlingMode |
enum | ThreatHandlingMode specifies how threats should be handled. | no | Block , LogOnly |
DenyRules.spec.request.builtIn.settings
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
level |
enum | Level represents a set of deny rules with different filter strengths. | no | Standard |
Unfiltered , Basic , Standard , Strict |
threatHandlingMode |
enum | ThreatHandlingMode specifies how threats should be handled when a deny rule matches. | no | Block |
Block , LogOnly |
DenyRules.spec.request.custom
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
rules | object[] | Rules defines list of additional deny rules. | no |
DenyRules.spec.request.custom.rules[]
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
blockData | object | BlockData specifies the request data which should cause a block. | yes | parameter{} , header{} , path{} , pathSegment{} , json{} |
|
requestConditions | object | RequestConditions defines additional request properties which must be matched in order for this rule to apply. | no | ||
ruleKey |
string | RuleKey defines a technical key for the deny rule. Must be unique. | yes | ||
threatHandlingMode |
enum | ThreatHandlingMode specifies how threats should be handled when a deny rule matches. | no | Block |
Block , LogOnly |
DenyRules.spec.request.custom.rules[].blockData
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
header | object | Header specifies to block requests containing a matching header. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
json | object | JSON specifies to block requests containing a matching JSON property in the body. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
parameter | object | Parameter specifies to block requests containing a matching parameter. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
path | object | Path specifies to block requests with a matching path. Only one of parameter, header, path, pathSegment or json can be set. |
no | ||
pathSegment | object | PathSegment specifies to block requests containing a matching path segment. Only one of parameter, header, path, pathSegment or json can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.header
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
name | object | Name defines the name of a header. | no | ||
value | object | Value defines the value of a header. | no |
DenyRules.spec.request.custom.rules[].blockData.header.name
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.header.name.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.header.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.header.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.json
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
key | object | Key defines the key of a JSON object. | no | ||
value | object | Value defines the value of a JSON object. | no |
DenyRules.spec.request.custom.rules[].blockData.json.key
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.json.key.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.json.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.json.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.parameter
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
name | object | Name defines the name of a parameter. | no | ||
value | object | Value defines the value of a parameter. | no |
DenyRules.spec.request.custom.rules[].blockData.parameter.name
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.parameter.name.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.parameter.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.parameter.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.path
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | Matcher specifies which path to block. | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.path.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].blockData.pathSegment
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
segments | object | Segments restricts which path segments are filtered by this rule. If not specified, all segments of a path are filtered. |
no | index{} |
|
value | object | Value specifies which path segment values to block. | yes |
DenyRules.spec.request.custom.rules[].blockData.pathSegment.segments
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
index |
int | Index restricts the rule to the path segment at this index (0-based). | no | [0, 9223372036854775807] |
DenyRules.spec.request.custom.rules[].blockData.pathSegment.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].blockData.pathSegment.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].requestConditions
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
header | object | Header defines the matching headers of a request. | no | ||
invert |
bool | Invert indicates whether the request condition should be inverted. | no | false |
true , false |
mediaType | object | MediaType defines the matching media type from the content-type header of a request. | no | ||
method |
enum[] | Method defines the matching methods of a request. | no | GET , HEAD , POST , PUT , PATCH , DELETE , CONNECT , OPTIONS , TRACE |
|
path | object | Path defines the matching path of a request. | no | ||
remoteIP | object | RemoteIP defines the matching remote IPs of a request. | no |
DenyRules.spec.request.custom.rules[].requestConditions.header
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
name | object | Name defines the name of a header. | no | ||
value | object | Value defines the value of a header. | no |
DenyRules.spec.request.custom.rules[].requestConditions.header.name
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].requestConditions.header.name.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].requestConditions.header.value
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].requestConditions.header.value.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].requestConditions.mediaType
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].requestConditions.mediaType.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].requestConditions.path
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
matcher | object | yes | exact{} , prefix{} , suffix{} , regex{} , contains{} |
DenyRules.spec.request.custom.rules[].requestConditions.path.matcher
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...) . |
no | false |
true , false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
DenyRules.spec.request.custom.rules[].requestConditions.remoteIP
Field | Type | Description | Required | Default | Allowed Values |
---|---|---|---|---|---|
cidrRanges |
string[] | CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28 . |
yes | ||
invert |
bool | Invert indicates whether the match should be inverted. | no | false |
true , false |
Default Deny Rule Keys
Key | Name | Description |
---|---|---|
ENCODING |
Encoding and Conversion Exploits in Header and Parameter Value | Prevents injection of special encoded characters, such as double URL encoded characters in header values. Prevents the Java MIN_VALUE floating point attack in header and parameter values on all security levels. |
EXPLOIT |
Known Exploits | Protects against the exploitation of specific (e.g.,framework specific) bugs and vulnerabilities by preventing the injection of special payloads not covered by the other Deny Rules. For instance, prevents attacks targeting the Spring4Shell vulnerability. |
HPP |
HTTP Parameter Pollution | Prevents HTTP parameter pollution by blocking nested parameters in parameter values on security level Strict. In an HTTP parameter pollution (HPP) attack, an attacker injects or supplies HTTP parameters in a way that “confuses” the recipient and which may be interpreted by an application in unexpected ways. This rule prevents nesting parameters using percent-encoding like in the example below where the query parameter some-param some-param=some-value%26nested-param%3Dnested-value can be decoded to some-param=some-value&nested-param=nested-value and some technologies might accept the disguised nested parameter. Both client-side and server-side HPP attacks exist and some consequences are application errors, modification of internal state, or the bypassing of input validations and WAF filters. In some cases attackers try to disguise attack payloads in multiple parameter values, in order to avoid detection by a WAF. The application might concatenate the parts again, thereby triggering the attack. |
HTML |
HTML Injection in Path, Header and Parameter Value | Prevents HTML injection through HTTP paths, header and parameter values. Similar to a Cross-Site Scripting (XSS) attack, a HTML injection attack injects HTML into a website, which is then loaded and executed by unsuspecting users visiting the compromised site. This way, an attacker can modify the page content and for example embed malicious links or try to phish users. HTML injection vulnerabilities occur when unsanitized user input is stored or reflected as part of the web page. This often happens on websites allowing users to upload posts or add comments. An unquoted context attack occurs when user input is directly interpreted as HTML. A quoted context attack occurs when user input is put within quotes. In the following example, a user can supply the url to an image, which is then displayed on the website: <img src="USER_INPUT"> An attacker can “break out” of the string and perform a HTML injection with the payload "> <h1>This is a HTML injection</h1 This results in the combined HTML <img src=""> <h1>This is a HTML injection</h1 and the injection is displayed on the vulnerable website. The security level Basic does not prevent any HTML injection. The security level Standard prevents injection of well-known HTML tags (e.g., <img src="path"> ) as well as injection of well-known HTML attribute names in a single or double quoted attribute value (e.g.,' href="url" ). The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value. |
IDOR |
Insecure Direct Object Reference in Path and Parameter Values | Prevents insecure direct object references and file inclusion for HTTP paths and parameter values. An insecure direct object reference (IDOR) is a publicly exposed identifier that can be used to directly access to internal objects and is not subject to access control. As an example, we use a well-known type of an IDOR exploit, the directory traversal attack. Consider a url where part of the page content is fetched from a file on the server using the relative path in the ‘file’ parameter, e.g. https://some-website.org/show-file-content?file=content.html In this example, the ‘file’ parameter is the direct object reference. Unless this parameter is validated or sanitized, an attacker could gain access to files, that are not supposed to be accessible via the url, by changing the value of the ‘file’ parameter. For instance to retrieve the /etc/passwd file an attacker could move from the directory where the website files are stored to the root directory of the server: https://some-website.org/show-file-content?file=../../etc/passwd For paths: The security level Basic and Standard prevents directory traversal and injection of certain critical files (e.g.,.htaccess). The security level Strict further prevents injection of file paths with critical suffixes (e.g.,.exe). For parameter values: The security level Basic prevents directory traversal and injection of certain critical files (e.g.,/etc/passwd). The security level Standard prevents injection of known top-level directory paths (e.g.,/etc/) and critical protocol schemes (e.g.,“php://”). The security level Strict further prevents injection of file paths with critical suffixes (e.g.,.exe) any absolute Windows and UNIX directory path, any protocol scheme or path in universal naming convention format. |
LDAP |
LDAP Injection in Header and Parameter Value | Prevents LDAP(Lightweight Directory Access Protocol) query injection in header and parameter values. In an LDAP injection an attacker tries to leak or modify sensitive data represented in a LDAP data store. This is possible when an application accesses data using LDAP search filters containing unsanitized user input. Security level Standard prevents the injection of new logical operations NOT, AND, OR. The security level Strict further prevents injecting new comparison operations e.g.,’equal to’, or ‘greater than or equal to’. |
NOSQL |
NoSQL Injection in Header Value and Parameter Name and Value | Prevents NoSQL injection in header values, parameter names and values on security level Standard and Strict. For a more detailed explanation of query injections, see the SQL description. As a simplified example of a NOSQL injection, consider an unsecure login form where users can input their username and password. The user input is passed to the MongoDB query db.users.find({username: <USER_INPUT.username>, password: <USER_INPUT.password>}) An attacker can enter the username admin and the password {$ne: ""} to construct the query db.users.find({username: admin, password: {$ne: ""}}) which will return the first document where username is admin and the password is non-empty. This way the attacker can bypass the login and enter the website without knowing the password. The security levels Standard and Strict prevent the injection of keywords, functions, and operators of common NoSQL databases (e.g.,MongoDB). In particular, they prevent injection attempts that are part of JSON objects or PHP arrays,. |
OGNL |
Object Graph Navigation Library (OGNL) injection (Apache Struts) | Prevents OGNL injection on all security levels. Similar to other injection attacks, e.g.,SQL injection, in an OGNL injection attack, an attacker sends malicious requests containing OGNL expressions to a vulnerable application. If the application uses OGNL to handle unvalidated user input, the OGNL expressions in the request are interpreted, which may result in arbitrary code execution, data theft, or other security concerns. |
PHP |
PHP Injection in Header Value and Parameter Value | Prevents PHP code injection in header and parameter values. Similar to other injection attacks, e.g.,SQL injection or UNIX command injection, a PHP code injection attack can occur when unsanitized user input is forwarded to a system that interprets PHP. In particular, by injecting PHP script tags (e.g., <?php ... ?> ) an attacker might be able to execute arbitrary PHP code on the server. All security levels prevent the injection of standard PHP script tags. Additionally, security level Standard and Strict prevent injection of shortened and legacy PHP script tags. |
PROTOCOL |
HTTP Protocol Integrity | Prevents HTTP response splitting by blocking injection of an HTML response body or response header. HTTP response splitting can occur when user input from an HTTP request is returned in the HTTP response without being validated. As an example, imagine a website that allows users to set a cookie (using the set-cookie parameter), which is returned in the headers of the HTTP response: https://www.some-website.com/?set-cookie=something If an attacker can insert carriage return and line feed characters, they are able insert new headers, write a response body, or create a second malicious HTTP response entirely. Using HTTP response splitting an attacker may perform cross-site scripting, web cache poisoning, or similar attacks. |
SANITY |
Sanity of Header and Parameter | Prevents injection of non-printable and special encoded characters, as well as invalid unicode and formats in header names and values. |
SCANNING |
Automated Scanning | Prevents automated scanning with standard tools by blocking associated headers and parameters which are used to probe an application. Activated on all security levels. |
SQL |
SQL Injection (SQLi) in Header and Parameter Value | Prevents SQL injection for header and parameter values. In an SQL injection attack, an attacker tries to execute malicious SQL queries in order to leak or corrupt sensitive data. This is possible when an application forwards unsafe and improperly sanitized user input to a database. As an example of a SQL injection attack one can imagine an online shop’s website. Users can input text into a search bar to find items in the inventory. The search bar forwards the user input to its inventory database with the following statement: SELECT * FROM inventory WHERE item_name = "<user input>"; An attacker could exploit this using the attack payload "; DROP TABLE inventory; -- which would result in the execution of the following two queries and thus the deletion of the inventory: SELECT * FROM inventory WHERE item_name = ""; DROP TABLE inventory; --"; When user input is placed inside quotes like in the example above, we call that a quoted context. Otherwise, we talk about an unquoted context. In general, it is slightly harder to exploit the quoted context because an attack is interpreted as a simple string unless the attacker “breaks out” of the quotes. The security level Basic prevents injection of - input that tries to terminate a previous statement and adds new SQL statements (e.g., ; DROP TABLE ) - set operations (e.g., UNION SELECT ) - SQL statements obfuscated as C-style comments which can be interpreted as regular SQL by MySQL and MariaDB in any context. The security level Standard further prevents injection of SQL sub queries and SQL expressions in quoted context (e.g., ' or 1=1-- ). The security level Strict further prevents SQLi in unquoted context (e.g., 1 or 1 ). |
TEMPLATE |
Template and Expression Language Injection | Prevents template and expression language injections for various client-side and server-side templating engines on security levels Standard and Strict. Template injection is similar to other injection attacks. Template injection vulnerabilites can occur when unsanitized user input is evaluated as part of a template expression. As a simple example consider a website that greets the user with the username parameter provided in a request. <h1>Hello <?php echo $_GET['username']; ?></h1> An attacker can provide a payload that uses special character (e.g., {{...}} , ${...} , #{...} , and similar) so that a malicious expression is evaluated by the template engine and an attack is triggered. The security levels Standard and Strict prevent template injection attacks in both client-side frameworks (e.g.,Angular, React, Meteor, etc.) and server-side frameworks (e.g.,Apache Velocity, Java EL, ASP.NET Razor, etc) by recognizing a variety of special characters used in templates of common frameworks. |
UNIXCMD |
UNIX Command Injection in Header and Parameter Value | Prevents UNIX command injections through HTTP header and parameter values. In an OS command injection attack, the attacker aims to execute arbitrary OS commands on vulnerable hosts. This is possible if an application forwards user-input to a system shell in an unsafe (unsanitized) manner. There are different flavors of command injection attacks, depending on the context where user input is fed to the shell. In a quoted context, the user input is placed inside quotes, usually intended as a parameter for another command. For example, an application on a UNIX system might feed user input to the ls command, like so: ls "<some user input>" This is called a quoted context attack, because the injection string is placed inside a quoted context. Consider the input "; <some command> # which, if placed inside the context, becomes ls ""; <some command> #" <some command> can now be replaced by any command of the attackers choice, and will be executed on the system. In unquoted contexts, the attackers input is directly interpreted as a command, without the need for a context breakout. The security level Basic prevents exploitation of the shellshock bug (also known as bashdoor). The security level Standard prevents injection of (what we consider) critical UNIX commands in quoted context (e.g., ";cat /etc/password # ). Security level Strict additionally blocks a wider range of obfuscated UNIX commands in quoted contexts and prevents command injection in unquoted context (e.g., ; cat /etc/password ). |
WINCMD |
Windows Command Injection in Header and Parameter Value | Prevents Windows command injections through HTTP header and parameter values. For a more detailed explanation of OS command injection, see UNIXCMD. Security level Standard provides protection against Windows command injection in a quoted context. The security level Strict extends this protection to unquoted contexts. |
XSS |
Cross-Site Scripting (XSS) in Path, Header and Parameter Value | Prevents Cross-Site Scripting attacks for paths, header and parameter values. In a Cross-Site Scripting (XSS) attack, an attacker injects code (often JavaScript) into a website. This code is loaded and executed by unsuspecting users visiting the compromised site. An example is that of a Web Forum where a malicious user creates a post containing carefully designed text. When other users visit the forum, their browsers will interpret the text as JavaScript and execute it. Depending on the injected code, this can lead to session or credential stealing, or malware delivery to the victim’s machine. There are many forms of XSS attacks depending on the position of the injection in the context of the original webpage’s HTML: If the code is injected at a location where it is not directly interpreted as a JavaScript statement, the attack must include additional instructions to indicate that the code should be interpreted as JavaScript. Often, this is achieved using <script> tags or HTML event handlers, e.g.,onload . In a so-called “quoted context attack” an attacker finds a way to inject directly into a context already interpreted as JavaScript, making the attack much easier to perform. This can happen, if, for example, user input is directly fed into a JavaScript variable: var f = "<some user input>" This is called a quoted context attack, because the injection string is placed inside a quoted context. For the attack to succeed, the attacker still needs to perform what is called a “context breakout” to do anything useful. An unquoted context attack occurs when user input is directly interpreted as plain javascript (not inside a variable assignment or similar). This attack is easier to perform and harder to detect than a quoted context attack. The security level Standard prevents injection of JavaScript code in quoted context. The security level Basic prevents injection of <script> tags and known HTML event handlers. The security level Strict prevents injection of JavaScript code in unquoted context. |