URL requests and embedded parameters in them can contain malicious script. Attacks embedded in URL requests or their parameters are executed with the permissions of the executing component. Injection of operating system or database commands into the parameters of a URL request, cross site scripting, remote file inclusion attacks, and buffer overflow attacks can all be perpetrated through unchecked URL requests or their parameters.
Here is an example of malicious script within a URL Request:
Defense from these attacks is achieved by restricting the allowed methods in headers and content for invoked URL requests, restricting the number of request parameters and their lengths, limiting file uploads, and specifying attack types to explicitly detect and block. (Attack types are configured on SECURITY > Libraries or SECURITY > View Internal Patterns.) URL Protection uses a combination of these techniques to protect against various URL attack types. URL Protection defends the Service from URL request attacks when no URL Profile is configured to do it. For information URL Profiles, see Configuring Website Profiles.
To configure URL protection, select a policy from the Policy Name list and click Configure under URL Protection in the Security Policies section.