The Barracuda Web Application Firewall normalizes all traffic before applying any security policy string matches. For HTTP data, this requires decoding Unicode, UTF, or Hex to base text, to prevent disguised attacks using encoding formats for which string matches are not effective.
Normalization is always enabled if the Barracuda Web Application Firewall is active. The Default Character set parameter specifies the character set encoding type for incoming requests. ASCII is the default.
In some cases multiple character set encoding is needed, as for a Japanese language site which might need both Shift-JIS and EUC-JP encoding. To add character set encoding, set the Detect Response Charset parameter to Yes. All response headers will be searched for a META tag specifying the character set encoding type and any supported types will be added dynamically.
Double encoding is the re-encoding of the encoded data. For example: The UTF-8 escape for the backslash character is %5C, which is a combination of three characters i.e. %, 5, and C. So the Double encoding is the re-encoding either one or all the 3 characters by using their corresponding UTF-8 escapes as %25, %35, and %63.
Steps To Configure URL Normalization
- Go to the SECURITY POLICIES > URL Normalization page.
- Select the policy from the Policy Name drop-down list.
- In the URL Normalization section, specify values for the following fields:
- Default Character Set– Select the character set decoding type to be used for incoming requests. By default, it is set to UTF-8. The character set decoding type are:
- English only: ASCII (7-bit), ISO-8859-1 (8-bit)
- Unicode: UTF-8
- Chinese: GBK, GB2312, HZ, BIG-FIVE, EUC-TW, ISO-2022-CN
- Japanese: Shift-JIS, EUC-JP, ISO-2022-JP
- Korean: EUC-KR, JOHAR, ISO-2022-KR
- Values: ASCII, BIG5, EUC-JP, EUC-KR, EUC-TW, GB2312, GBK HZ, ISO-2022-CN, ISO-2022-JP, ISO-2022-KR, ISO-8859-1, JOHAB, Shift-JIS, UTF-8
- Recommended: UTF-8
- Detect Response Charset – Set to Yes to detect the character set decoding in the response page through the META tags Content-Type headers. When set to No, it will not detect the character set decoding of the response. Instead it will use the static settings of "Default Character set".
- Recommended: No
- Detect evasions with special characters - When set to Yes, the requests are examined for single quotes, double quotes, and null characters acting as potential concatenators in the payload. The payload will then be coalesced by exempting these characters before deep inspection.
- Parameter Separators – Select the URL-decoded parameter separator to be used from the drop-down list.
- Values: Ampersand and Semicolon, Ampersand only, Semicolon only
- Recommended: Ampersand only
- Apply Double Decoding – Set to Yes to detect decoding of the character set after the completion of regular URL normalization. If decoding fails, the request is blocked in active mode and log gets generated in the BASIC > Web Firewall Logs page. In passive mode the request is allowed and also the logs get generated.
- Recommended: No
- Default Character Set– Select the character set decoding type to be used for incoming requests. By default, it is set to UTF-8. The character set decoding type are:
- Click Save.