Alert Logic® web application services use Request for Comments (RFC) standard parsing libraries to process request bodies into name-value pairs for further review. If the Alert Logic web application service has trouble parsing request bodies into name-pair values, it may throw a violation pertaining directly to the Content-Type or an erroneous false positive violation based on parsing the initially observed content.
When utilizing web application intrusion detection system solutions, Alert Logic recommends that you adhere to RFC web application standards for Content-Type to ensure successful name-value pair analysis and a more secure overall policy.
Web Application Firewall Violations
If Alert Logic encounters issues while attempting to parse request bodies into name-value pairs, it may throw one of these following web application firewall violations regarding Content-Types:
Malformed Request
A malformed request violation implies that Alert Logic is not able to successfully parse a request body based on conventional Content-Types - often XML, JSON, and multi-part requests. There are a few reasons why this violation could occur:
- The Content-Type is text/plain
- The Content-Type is relatively unconventional or completely custom
Content-Type Not Enabled
A Content-Type not enabled violation implies that Alert Logic is not able to successfully parse a request body because the configuration has not enabled parsing and validation of the more unconventional Content-Type headers - including application/octet-stream, application/x-amf, and text/plain. There are a few reasons why this violation could occur:
- The Content-Type is text/plain
- The Content-Type is relatively unconventional or completely custom
Violation Remediation Recommendations
Use these recommendations to remediate the above violations, as well as to maintain RFC and Content-Type best practice use.
Apply Proper Content-Type Headers
Ensure Content-Type headers match the request body content:
- JSON - application/json
- XML - application/xml or text/xml
- Multi-part requests - multipart/form-data;boundary="BOUNDARY"
Ensure Proper Syntax
Confirm that the request body content has proper RFC standard format and syntax.
JSON
Make sure that the name-value pairs have proper delimitation and that the objects are properly nested. Use the MetaCPAN JSON encoder/decoder and JSON::Relaxed resources for guidance on this.
XML
Make sure that there is only one root node, that all tag elements are properly nested, and that if a prolog declaration exists it is the first line item. Use the MetaCPAN XML::LibXML resource for guidance on this.
Multi-Part Requests
Make sure that the multi-part boundary in the Content-Type header matches the boundaries in the request body. Further, confirm that the last boundary ends with a trailing double dash (--) to properly terminate the request body. Use the World Wide Web Consortium Multipart Content-Type resource for guidance on this.
Communicate Custom Content-Type and Text/Plain
Ensure that Alert Logic is notified if:
- Web applications use text/plain
- Web applications use unconventional or custom Content-Types
Further, enable text/plain parsing and bypass custom Content-Types when needed.
Comments
0 comments
Please sign in to leave a comment.