FilesExpand file tree

 develop

/

waf-policy.xml

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

149 lines (114 loc) · 3.97 KB

 develop

/

waf-policy.xml

Copy path

Top

File metadata and controls

• Code
• Blame

149 lines (114 loc) · 3.97 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

<?xml version="1.0" encoding="UTF-8"?>

<!--

This file defines a set of "web application firewall" rules that

defend a web application against certain types of attacks. These rules

are loaded and enforced by a filter that sits in front of a web

application and has access to both request and response on both the

way in and the way out.

-->

<policy>

<!--

Setup some simple aliases to use elsewhere in the WAF policy. Alias

types are: string (default), regex. String is a literal string, regex

is a pattern.

-->

<aliases>

<alias name="INPUT_VALIDATION_ERROR">/security/input.jsp</alias>

<alias name="ADMIN_PATH" type="regex">^/admin/.*</alias>

</aliases>

<!--

Set the overall WAF mode of operation. The mode can be either "block"

or "log". "block" mode will send all errors to the web page defined in

the error-handling configuration. "log" mode will not change HTTP

requests at all, but will simply log errors.

-->

<settings>

<mode>redirect</mode>

<session-cookie-name>JSESSIONID</session-cookie-name>

<error-handling>

<default-redirect-page>/security/error.jsp</default-redirect-page>

<block-status>403</block-status>

</error-handling>

</settings>

<!--

Set authentication rules by path.

-->

<authentication-rules path="/.*" key="ESAPIUserSessionKey" >

<path-exception>/</path-exception>

<path-exception>/index.html</path-exception>

<path-exception>/login.jsp</path-exception>

<path-exception>/index.jsp</path-exception>

<path-exception type="regex">/images/.*</path-exception>

<path-exception type="regex">/css/.*</path-exception>

<path-exception type="regex">/help/.*</path-exception>

</authentication-rules>

<bean-shell-rules>

<!-- <bean-shell-script

id="example1"

file="waf-policies/bean-shell-rule.bsh"

stage="before-request-body"/>

-->

</bean-shell-rules>

<!--

Set authorization rules by path. Types are: regex Operators for

must-match are: contains,equals,inList,exists

-->

<authorization-rules>

<restrict-source-ip type="regex"

ip-regex="(192\.168\.1\..*|127.0.0.1)">/admin/.*</restrict-source-ip>

<must-match path="^/admin/.*" variable="request.headers.x-roles"

operator="contains" value="admin" />

</authorization-rules>

<!--

Set rules for incoming URLs.

-->

<url-rules>

<restrict-extension deny=".jpg" />

<restrict-method deny="GET" path=".*\.do$" />

<restrict-method allow="^(GET|POST|TRACE)$" />

<enforce-https path="/.*">

<path-exception>/index.html</path-exception>

<path-exception>/index.jsp</path-exception>

<path-exception type="regex">/images/.*</path-exception>

<path-exception type="regex">/css/.*</path-exception>

<path-exception type="regex">/help/.*</path-exception>

</enforce-https>

</url-rules>

<!--

Set rules for incoming headers and parameters.

-->

<header-rules>

<restrict-content-type deny=".*multipart.*" />

<restrict-content-type allow="text/plain" />

<restrict-content-type allow="x-www-form-urlencoded" />

<restrict-user-agent deny=".*GoogleBot.*" />

<restrict-user-agent allow=".*" />

</header-rules>

<!--

Set virtual patches to match specific vulnerability patterns.

-->

<virtual-patches>

<virtual-patch id="1234" path="/foo.jsp" variable="request.parameters.bar"

pattern="[0-9a-zA-Z]" message="zomg attax" />

</virtual-patches>

<!-- Set rules for outbound headers and data -->

<outbound-rules>

<add-header name="FOO" value="BAR" path="/.*">

<path-exception type="regex">/foobar/.*</path-exception>

</add-header>

<add-http-only-flag>

<cookie name=".*" />

</add-http-only-flag>

<add-secure-flag>

<cookie name=".*" />

</add-secure-flag>

<dynamic-insertion pattern="&lt;/body&gt;">

<replacement><![CDATA[this is a test]]></replacement>

</dynamic-insertion>

<dynamic-insertion

pattern="(&lt;input.*)type\s+=\s+&quot;+hidden&quot;+(.*/&gt;)">

<replacement>\1\2</replacement>

</dynamic-insertion>

<detect-content content-type=".*text/.*" pattern=".*2008.*" />

</outbound-rules>

</policy>