Website Profiles

Last updated on 2019-12-06 05:16:52

The learned structure of an application is called a profile of the website. Website profiles are made up of profiles for URLs and profiles for parameters of those URLs. A URL profile lists allowed fields like HTTP methods, names and types of each parameter, query strings, length based restrictions, etc. A Parameter profile defines the allowed format for each parameter using either a negative or positive security model and includes length restrictions.

Website Profiles allow you to create specific rules to fine tune the security settings of a Service. They do not modify the default security policy settings, but fine tune security settings specific to a Service. For more information, see Configuring Website Profiles.

The following diagram shows the location of enforcement of Website Profiles in the Request/Response evaluation flow:

04 - Stage 2 with Positive Security.jpg

For more information on the complete evaluation flow for requests and responses, refer to Evaluation Policy and Flow.

To Update a Website Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}
Method: PUT
Description: Updates the values of given parameters in the given website profile.
Input Parameters:
use_profile	String	Optional	Specifies whether or not to validate the incoming requests against the URL profiles and parameter profiles. The values include: yes no
strict_profile_check	String	Optional	Specifies whether or not to enforce strict profile checks for the requests coming for the specified service. The values include: yes no
mode	Enumeration	Optional	Specifies the mode of the website profile for the specified service. The enumerated values include: active - allows or blocks the requests coming to the web application by validating against the URL profiles. passive - validates the requests against the URL profiles and logs the request errors. learning - starts learning the selected web application.
allowed_domains	Alphanumeric	Optional	Specify the domain or IP address of the Service whose requests/responses should be validated against the URL and parameter profiles.
exclude_url_patterns	Alphanumeric	Optional	Specify the URL patterns to be excluded in the URL profile validations.
include_url_patterns	Alphanumeric	Optional	Specify the URL patterns to be included in the URL profile validations in spite of being listed in the exclude_url_patterns parameter.

Example: Updating a Website Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4 -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"website_profiles":{"use_profile":"yes","strict_profile_check":"no","mode":"passive","allowed_domains": ["*","www.abc.com","99.99.1.119"],"exclude_url_patterns":["*.jpg","*.txt"],"include_url_patterns":["*.jpeg "]}}'

Response:

{"id":"service_4","token":"eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n"}

To Create a URL Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles
Method: POST
Description: Creates a URL profile with the given values.
Input Parameters:
name	Alphanumeric	Yes	Name of the URL profile.
status	String	Optional	Specify whether or not to validate the requests coming to the specified service using this URL profile. The values include: on off
url	URL	Yes	A URL to be matched to the URL in the request.
extended_match	String	Yes	An expression that consists of a combination of HTTP headers and/or query string parameters. For information on how to write extended match expressions, refer Extended Match Syntax Help.
extended_match_sequence	Numeric	Yes	A number to indicate the order in which the extended match rule must be evaluated in the requests.
mode	String	Optional	The mode of the website profile for this service. passive - Validates the requests against the URL Profile and logs the request errors. active - Allows or blocks the requests coming to this Web application by validating against this URL profile. learning - starts learning the selected web application if Adaptive Profiling 'Status' is set to 'On'.
allow_query_string	String	Optional	Specify whether or not to allow query string in the URL. The values include: yes no
hidden_parameter_protection	Enumeration	Optional	Specify whether or not to protect hidden parameters in the forms and URLs. The enumerated values include: none forms forms_and_urls
csrf_prevention	Enumeration	Optional	Specify whether or not to prevent cross-site request forgery attack on the forms and URLs. The enumerated values include: none forms forms_and_urls
max_content_length	Numeric	Optional	Specify the maximum allowable length of the content, that is, the request body. The Content-Length indicates the size of the content in the request body. Note: Only requests with the Content-Length: headers are validated. Requests encoded using "Chunked Encoding" DO NOT have a Content-Length: header, and therefore are not subject to the Content Length check.
maximum_parameter_name_length	Numeric	Optional	Specify the maximum length of the parameter name in the request.
maximum_upload_files	Numeric	Optional	Specify the maximum number of files that can be uploaded in one request.
blocked_attack_types	String	Optional	Specify the attack types that needs to be matched in the requests/responses. The values include: os_command_injection http_specific_injection remote_file_inclusion_strict remote_file_inclusion ldap_injection sql_injection apache_struts_attacks os_command_injection_strict sql_injection_strict python_php_attacks cross_site_scripting cross_site_scripting_strict
custom_blocked_attack_types	String	Optional	Specify the custom attack types that needs to be matched in the requests/responses.

Example: Creating a URL Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4/url_profiles -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name": "url_test","url":"/index.html","status":"on”,"extended_match_sequence":"2","extended_match":"*","mode":"learning","allow_query_string":"yes","hidden_parameter_protection":"none","csrf_prevention":"none","max_content_length":"1073741823","maximum_parameter_name_length":"1023","maximum_upload_files":"100","comment":"URL Profile"}'

Response:

{"id":"url_test","token":"eyJldCI6IjI2NTk5MzgyMjAiLCJwYXNzd29yZCI6IjNiM2QzZDExYzE5NjhkY2QyYjNhMTMxM2Jm\nNTE5YzczIiwidXNlciI6ImFkbWluIn0=\n"}

To Retrieve a URL Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}
Method: GET
Description: Lists all URL profiles if “url_profile_id” is not specified.
Input Parameters:
parameters	Alphanumeric	Optional	Any specific parameter name that needs to be retrieved.

Example: Retrieving a URL Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4/url_profiles/url_test -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X GET

Response:

{"extended_match_sequence":"2","maximum_parameter_name_length":"10","status":"on","mode":"active","extended_match":"*","blocked_attack_types":["os_command_injection","http_specific_injection","remote_file_inclusion_strict","remote_file_inclusion","ldap_injection","sql_injection","apache_struts_attacks","os_command_injection_strict","sql_injection_strict","python_php_attacks"],"custom_blocked_attack_types":["abcd"],"csrf_prevention":"forms","url":"/index.html","read":"1","id":"url_test","token":"eyJldCI6IjI2NTk5MzgyMjAiLCJwYXNzd29yZCI6IjNiM2QzZDExYzE5NjhkY2QyYjNhMTMxM2Jm\nNTE5YzczIiwidXNlciI6ImFkbWluIn0=\n","max_content_length":"100","allowed_content_types":["text/xml","application/x-www-form-urlencoded"],"hidden_parameter_protection":"forms","name":"url_test","allow_query_string":"yes","display_name":null,"maximum_upload_files":"10","comment":"Test-urlprofile","allowed_methods":["GET","POST"],"referrers_for_the_url_profile": ["http://abcd","http://xyz"],"created_by":"Manual","exception_patterns":["sql-quote","script-tag "]}

To Update a URL Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}
Method: PUT
Description: Updates the values of given parameters in the given URL profile.
Input Parameters:
status	String	Optional	Specifies whether or not to validate the requests coming to the specified service using this URL profile. The values include: on off
url	URL	Optional	Specifies the URL to be matched to the URL in the request.
extended_match	String	Optional	An expression that consists of a combination of HTTP headers and/or query string parameters. For information on how to write extended match expressions, refer Extended Match Syntax Help.
extended_match_sequence	Numeric	Optional	Specifies the number to indicate the order in which the extended match rule must be evaluated in the requests.
mode	String	Optional	Specifies the mode of the website profile for the service. passive - Validates the requests against the URL Profile and logs the request errors. active - Allows or blocks the requests coming to this Web application by validating against this URL profile. learning - starts learning the selected web application if Adaptive Profiling 'Status' is set to 'On'.
allowed_methods	Alphabetic	Optional	Specify the methods to be allowed in the request.
allow_query_string	String	Optional	Specifies whether or not to allow query string in the URL. The values include: yes no
allowed_content_types	Alphabetic	Optional	Specify the content-types to be allowed in the POST body of a URL.
hidden_parameter_protection	Enumeration	Optional	Specifies whether or not to protect hidden parameters in the forms and URLs. The enumerated values include: none forms forms_and_urls
csrf_prevention	Enumeration	Optional	Specifies whether or not to prevent cross-site request forgery attack on the forms and URLs. The enumerated values include: none forms forms_and_urls
max_content_length	Numeric	Optional	Specifies the maximum allowable length of the content, that is, the request body. The Content-Length indicates the size of the content in the request body. Note: Only requests with the Content-Length: headers are validated. Requests encoded using "Chunked Encoding" DO NOT have a Content-Length: header, and therefore are not subject to the Content Length check.
maximum_parameter_name_length	Numeric	Optional	Specifies the maximum length of the parameter name in the request.
referrers_for_the_url_profile	Alphanumeric	Optional	Specify the address (URI) of the resource from which the Request URI was obtained. In case of adaptive profiling, the referrers are learned as the profile sources. This referrer is not same as the Referrer in CSRF protection.
maximum_upload_files	Numeric	Optional	Specifies the maximum number of files that can be uploaded in one request.
exception_patterns	Alphanumeric	Optional	Specify the patterns to be allowed as exceptions in spite of them being part of a malicious pattern group. The configuration should be the exact "Pattern Name" as found on the ADVANCED > View Internal Patterns page or as defined during the creation of a "New Group" through the ADVANCED > Libraries page.
blocked_attack_types	String	Optional	Specifies the attack types that needs to be matched in the requests/responses. The values include: os_command_injection http_specific_injection remote_file_inclusion_strict remote_file_inclusion ldap_injection sql_injection apache_struts_attacks os_command_injection_strict sql_injection_strict python_php_attacks cross_site_scripting cross_site_scripting_strict
custom_blocked_attack_types	String	Optional	Specifies the custom attack types that needs to be matched in the requests/responses.

Example: Updating a URL Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/url_encryption/url_profiles/url_test -u 'eyJldCI6IjE0NjU4Mzg3NjMiLCJwYXNzd29yZCI6IjJmNDM2ZjQxOTdkN2IyZGEwNzBkNTUzMWU1\nY2UzNDUxIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"url":"/index.html","extended_match_sequence":"2","status":"on","extended_match":"*","mode":"active","allow_query_string":"yes","hidden_parameter_protection":"forms","csrf_prevention":"forms","max_content_length":"100","maximum_parameter_name_length":"10","maximum_upload_files":"10","blocked_attack_types":["os_command_injection","http_specific_injection","remote_file_inclusion_strict","remote_file_inclusion","ldap_injection","sql_injection","apache_struts_attacks","os_command_injection_strict","sql_injection_strict"],"comment":"Test-urlprofile","allowed_methods":["GET","POST"],"allowed_content_types":["text/xml","application/x-www-form-urlencoded"],"referrers_for_the_url_profile":["http://abcd","http://xyz"],"exception_patterns":["sql-quote","script-tag"],"custom_blocked_attack_types":["abcd"]}

Response:

{"id":"url_test","token":"eyJldCI6IjE0NjU4NDA0NDYiLCJwYXNzd29yZCI6IjUxZWZlOTI2ZWZhMTVmNTUxZjYxYzM2ZTI3\nNTRkMjg5IiwidXNlciI6ImFkbWluIn0=\n"}

To Delete a URL Profile

URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}

Method: DELETE

Description: Deletes the given URL profile.

Example: Deleting a URL Profile

Request:

Response:

{"msg":"Successfully deleted","token":"eyJldCI6IjI2NTk5MzgyMjAiLCJwYXNzd29yZCI6IjNiM2QzZDExYzE5NjhkY2QyYjNhMTMxM2Jm\nNTE5YzczIiwidXNlciI6ImFkbWluIn0=\n"}

To Create a Parameter Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}/parameter_profiles
Method: POST
Description: Creates a parameter profile with the given values.
Input Parameters:
name	Alphanumeric	Yes	Specify a name for the parameter profile.
status	String	Optional	Specify whether or not to validate the requests coming to the specified service using this parameter profile. The values include: on off
type	Enumeration	Yes	Specify the type of parameter to be validated in the requests/responses. The enumerated values include: input read_only session_choice global_choice session_invariant file_upload
values	Alphanumeric	Conditional	Specify a fixed set of strings to be matched against the parameter's value, Note: This is required only when type is set to Global Choice.
parameter_class	Enumeration	Yes	Specify the parameter class that needs to be compared to the parameters sent in the requests/responses. The enumerated values include: custom login search password comments integer hex_number alpha alphanumeric string generic no_validation
custom_parameter_class	Enumeration	Conditional	Specify the custom parameter class that needs to be compared to the parameters sent in the requests/responses. Note: Required only when parameter_class is set to custom.
max_value_length	Numeric	Optional	Specify the maximum allowable length for the value of the parameter
required	String	Optional	Specify whether or not the parameter should always be present in the request. The values include: yes no
ignore	String	Optional	Specify whether or not to ignore the parameter completely from validation. The values include: yes no
validate_parameter_name	String	Optional	Specify whether or not to validate the parameter names in the request against the attack types specified in blocked_attack_types and custom_blocked_attack_types in the associated URL profile. The values include: yes no
maximum_instances	Numeric	Optional	Specify the maximum number of times the parameter should be allowed in the request/response.
allowed_file_upload_type	String	Optional	Specify the file upload type. The values include: extensions - to allow the files uploaded with extensions specified in file_upload_extensions. mime_types - to identify the content in the files before allowing to be uploaded with the mime types specified in file_upload_mime_types.
file_upload_extensions	Alphanumeric	Conditional	Specify the extensions to be allowed in file uploads. Note: Required only when allowed_file_upload_type is set to extensions.
file_upload_mime_types	Alphanumeric	Conditional	Specify the Mime types to be allowed as uploaded files. Note: Required only when allowed_file_upload_type is set to mime_types.

Example: Creating a Parameter Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4/url_profiles/url_test1/parameter_profiles -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name":"param1","parameter":"index1","status":"on","comments":"test_param_profiles","ignore":"yes","allowed_metacharacters":"%00","base64_decode_parameter_value":"yes","required":"yes","maximum_instances":"10","validate_parameter_name":"yes","max_value_length":"1000","parameter_class":"generic","type":"input"}'

Response:

{"id":"param1","token":"eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n"}

To Retrieve a Parameter Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}/parameter_profiles /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}/parameter_profiles/{parameter_profile_id}
Method: GET
Description: Lists all parameter profiles if “parameter_profile_id” is not specified.
Input Parameters:
parameters	Alphanumeric	Optional	Any specific parameter name that needs to be retrieved.

Example 1: Retrieving all parameter profiles

Request:

Response:

{"parameters":null,"object":"ParameterProfiles","data":[{"status":"on","comments":"test_param_profiles","ignore":"no","allowed_metacharacters":"%00","base64_decode_parameter_value":"no","required":"no","id":"param1","maximum_instances":"10","validate_parameter_name":"no","max_value_length":"1000","custom_parameter_class":"","file_upload_extensions":["html","txt"],"parameter_class":"generic","name":"param1","values":["aaaaa","ddddd","zzzzz"],"parameter":"index1","allowed_file_upload_type":"mime_types","file_upload_mime_types":["text/html"],"type":"file_upload","created_by":"Manual","exception_patterns":["sql-quote","script-tag"]}],"limit":null,"service_id":"service_4","token":"eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n","offset":null}

Example 2: Retrieving a specific parameter profile

Request:

Response:

{"status":"on","comments":"test_param_profiles","ignore":"no","allowed_metacharacters":"%00","base64_decode_parameter_value":"no","required":"no","id":"param1","maximum_instances":"10","token":"eyJldCI6IjYyNjIxODcxMDUiLCJwYXNzd29yZCI6ImQ2Y2IyNWEyZmU2MjMwNjY5MWU4ZWYxMTUz\nYWM0MDM3IiwidXNlciI6ImFkbWluIn0=\n","validate_parameter_name":"no","max_value_length":"1000","custom_parameter_class":"","file_upload_extensions":["html","txt"],"parameter_class":"generic","name":"param1","values":["aaaaa","ddddd","zzzzz"],"parameter":"index1","allowed_file_upload_type":"mime_types","file_upload_mime_types":["text/html"],"type":"file_upload","created_by":"Manual","exception_patterns":["sql-quote","script-tag"]}

To Update a Parameter Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}/parameter_profiles/{parameter_profile_id}
Method: PUT
Description: Updates the values of given parameters in the given parameter profile.
Input Parameters:
status	String	Optional	Specifies whether or not to validate the requests coming to the specified service using this parameter profile. The values include: yes no
type	Enumeration	Optional	Specifies the type of parameter to be validated in the requests/responses. The enumerated values include: input read_only session_choice global_choice session_invariant file_upload
values	Alphanumeric	Conditional	Specifies a fixed set of strings to be matched against the parameter's value. Note: This is required only when type is set to Global Choice.
parameter_class	Enumeration	Optional	Specifies the parameter class that needs to be compared to the parameters sent in the requests/responses. The enumerated values include: custom login search password comments integer hex_number alpha alphanumeric string generic no_validation
custom_parameter_class	Enumeration	Conditional	Specifies the custom parameter class that needs to be compared to the parameters sent in the requests/responses. Note: Required only when parameter_class is set to custom.
max_value_length	Numeric	Optional	Specify the maximum allowable length for the value of the parameter
required	String	Optional	Specify whether or not the parameter should always be present in the request. The values include: yes no
ignore	String	Optional	Specify whether or not to ignore the parameter completely from validation. The values include: yes no
validate_parameter_name	String	Optional	Specify whether or not to validate the parameter names in the request against the attack types specified in blocked_attack_types and custom_blocked_attack_types in the associated URL profile. The values include: yes no
maximum_instances	Numeric	Optional	Specify the maximum number of times the parameter should be allowed in the request/response.
base64_decode_parameter_value	String	Optional	Specify whether or not to apply base64 decoding to the parameter values. The values include: yes no
allowed_file_upload_type	String	Optional	Specify the file upload type. The values include: extensions - to allow the files uploaded with extensions specified in file_upload_extensions. mime_types - to identify the content in the files before allowing to be uploaded with the mime types specified in file_upload_mime_types.
file_upload_extensions	Alphanumeric	Optional	Specify the extensions to be allowed in file uploads. Note: Required only when allowed_file_upload_type is set to extensions.
file_upload_mime_types	Alphanumeric	Optional	Specify the Mime types to be allowed as uploaded files. Note: Required only when allowed_file_upload_type is set to mime_types.
allowed_metacharacters	Alphanumeric	Optional	Specify the meta-characters to be allowed in spite of being marked as denied in the parameter class.
exception_patterns	Alphanumeric	Optional	Specify the patterns to be allowed as exceptions in spite of them being part of a malicious pattern group. The configuration should be the exact "Pattern Name" as found on the ADVANCED > View Internal Patterns page or as defined during the creation of a "New Group" through the ADVANCED > Libraries page.

Example: Updating a Parameter Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4/url_profiles/url_test1/parameter_profiles/param1 -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"parameter":"index1","allowed_file_upload_type":"mime_types","status":"on","comments":"test_param_profiles","ignore":"no","allowed_metacharacters":"%00","base64_decode_parameter_value":"no","required":"no","maximum_instances":"10","validate_parameter_name":"no","max_value_length":"1000","parameter_class":"generic","type":"file_upload","file_upload_extensions":["html","txt"],"file_upload_mime_types":["text/html"],"values":["aaaaa","ddddd","zzzzz"],"exception_patterns":["sql-quote","script-tag"]}'

Response:

{"id":"param1","token":"eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n"}

To Delete a Parameter Profile

URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}/parameter_profiles/{parameter_profile_id}

Method: DELETE

Description: Deletes the given parameter profile.

Example: Deleting a Parameter Profile

Request:

Response:

{"msg":"Successfully deleted","token":"eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n"}