It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Attacks Description - Action Policy

  • Last updated on

The following table describes the attack actions under each attack group:

When Web Firewall Logs are exported to the configured log server, the attack IDs are prefixed with "29" in the exported logs. For example, if the attack ID for the "Parameter Name Length Exceeded" attack is 147, the ID in the exported logs is displayed as 29147.


Protocol Violations

Protocol Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
16Directory Traversal Beyond RootDIRECTORY_TRAVERSAL_BEYOND_ROOTAttempted access to files and commands beyond the document root directory/CGI root directory.AlertForceful Browsing
125Get Request with Content LengthGET_REQUEST_WITH_CONTENT_LENGTHHTTP GET request with Content-Length request header was detected.AlertProtocol Violations
126Missing Host HeaderMISSING_HOST_HEADERAn HTTP/ 1.1 version request lacked the mandatory Host request header.AlertProtocol Violations
121Invalid HeaderINVALID_HEADERAn invalid HTTP request header name-value pair was detected.AlertProtocol Violations
118Invalid MethodINVALID_METHODAn invalid HTTP method detected in request.AlertProtocol Violations
77Invalid or Malformed HTTP RequestINVALID_OR_MALFORMED_REQUESTNormalizing a request URI or header components determined it was invalid or malformed.AlertProtocol Violations
129Parameter Too LargePARAM_TOO_LARGEAn HTTP POST method request had a URL-encoded parameter value exceeding 1024 KB.AlertLimits Violation
123Malformed Content LengthMALFORMED_CONTENT_LENContent-Length request header contained non-numeric characters (e.g., metacharacters or alphabetic characters).AlertProtocol Violations
124Malformed CookieMALFORMED_COOKIEA cookie not conforming to the HTTP cookie specifications was detected.AlertProtocol Violations
120Malformed Request LineMALFORMED_REQUEST_LINEAn HTTP request end of line lacked the mandatory /r/n characters.AlertProtocol Violations
122Malformed HeaderMALFORMED_HEADER_LINEA header name did not conform to the HTTP protocol specifications.AlertProtocol Violations
128Malformed ParameterMALFORMED_PARAMNormalizing and parsing the name or value of a parameter in a query or POST body revealed the request contained a malformed parameter.AlertProtocol Violations
119Malformed VersionMALFORMED_VERSIONAn HTTP request sent with a protocol version number other than 0.9, 1.0 or 1.1 was detected.AlertProtocol Violations
127Multiple Content LengthMULTIPLE_CONTENT_LENGTHAn HTTP request contained more than one Content-Length HTTP request header.AlertProtocol Violations
25Post Without Content LengthPOST_WITHOUT_CONTENT_LENGTHA POST request lacked the mandatory Content-Length HTTP request header.AlertProtocol Violation
60Pre-1.0 RequestPRE_1_0_REQUESTAn HTTP request lacked a protocol version number, indicating it was an HTTP/0.9 request.AlertProtocol Violations

Request Policy Violations

Request Policy Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
141Cookie Count ExceededCOOKIE_COUNT_EXCEEDEDA request exceeded the maximum number of cookies specified in Max Number of Cookies on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
32Cookie ExpiredCOOKIE_EXPIREDA session cookie Cookie Max Age on the SECURITY POLICIES > Cookie Security page has been exceeded on the client browser.WarningSession Tamper Attacks
41Cookie Length ExceededCOOKIE_LENGTH_EXCEEDEDA cookie exceeded the maximum allowable length specified in Max Cookie Value Length on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
142Cookie Name Length ExceededCOOKIE_NAME_LENGTH_EXCEEDED

A cookie name length exceeded the maximum allowable length specified in Max Cookie Name Length on the SECURITY POLICIES > Request Limits page.

AlertLimits Violation
31Cookie TamperedCOOKIE_TAMPEREDA request cookie secured with cookie signing or encryption had been tampered. The cookie Tamper Proof Mode on the SECURITY POLICIES > Cookie Security page was Encrypted or Signed.WarningSession Tamper Attacks
44Header Count ExceededHEADER_COUNT_EXCEEDEDThe number of request headers exceeded the maximum allowed, specified in Max Number of Headers on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
143Header Name Length ExceededHEADER_NAME_LENGTH_EXCEEDEDThe length of the request header name exceeded the maximum allowed, specified in Max Header Name Length on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
6Header Value Length ExceededHEADER_VALUE_LENGTH_EXCEEDEDThe request header value length exceeded the maximum allowed, specified in Max Header Value Length on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
11Invalid URL EncodingINVALID_URL_ENCODINGThe characters encoded in the URL do not conform to the URL encoding scheme specified in Default Character Set on the SECURITY POLICIES > URL Normalization page.AlertInjection Attacks
116Mismatched Header Cookie Replay AttackCOOKIE_REPLAY_MISMATCHED_HEADERThe embedded and signed cookie header value sent to the client does not match the incoming value in a subsequent client request. Cookie Replay Protection Type is set to "Custom Headers" or "IP and Custom Headers" on the SECURITY POLICIES > Cookie Security page to detect this attack.WarningSession Tamper Attacks
117Mismatched IP Cookie Replay AttackCOOKIE_REPLAY_MISMATCHED_IPThe cookie IP address information does not match the source IP address of the incoming client request. Cookie Replay Protection Type is set to “IP” or “IP and Custom Headers” on the SECURITY POLICIES > Cookie Security page to detect this attack.WarningSession Tamper Attacks
14Slash-dot in URL PathSLASH_DOT_IN_URLRequested URL contained a slash (/) followed by a dot (.). This is a potential hidden file disclosure attack.AlertForceful Browsing
15Tilde in URL PathTILDE_IN_URLRequested URL contained a tilde (~). This is a potential hidden file disclosure attack.AlertForceful Browsing
144Too Many Sessions for IPTOO_MANY_SESSIONS_FOR_IPClient attempted to exceed New Session Count maximum set under Session Tracking on the WEBSITES > Advanced Security page.AlertDDOS Attacks
0Request Length ExceededREQUEST_LENGTH_EXCEEDEDThe request exceeded the total maximum allowable length (including the Request Line, and all HTTP request headers such as User Agent, Cookies, Referer, etc.) specified in Max Request Length on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
140Total Request Line Length ExceededREQUEST_LINE_LENGTH_EXCEEDEDThe request line exceeded the maximum allowable length specified in Max Request Line Length on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
30Unrecognized CookieUNRECOGNIZED_COOKIEThe incoming request cookie was unrecognized. Allow Unrecognized Cookies is set to Never or Custom on the SECURITY POLICIES > Cookie Security page. Unrecognized cookies are cookies not encrypted by the Barracuda Web Application Firewall.WarningSession Tamper Attacks
42URL Length ExceededURL_LENGTH_EXCEEDEDThe URL in the request exceeded the maximum allowable URL length specified in Max URL Length on the SECURITY POLICIES > Request Limits page.AlertLimits Violation
43Query Length ExceededQUERY_LENGTH_EXCEEDEDThe length of the query string portion of the URL exceeded the maximum allowable length specified in Max Query Length on the SECURITY POLICIES > Request Limits page.AlertLimits Violation


Response Violations

Response Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
300
CAPTCHA Validation Required
DDOS_CAPTCHA_SEND_CAPTCHAThe Response Page from the SECURITY POLICIES > Action Policy page was sent to the client because the back-end server was not reached.InformationOutbound Attacks
62Custom Error Response PageCUSTOM_ERR_RESPONSE_PAGEThe custom error Response Page from the SECURITY POLICIES > Action Policy page was sent to the client because the back-end server was not reached.AlertOther Attacks
17Error Response SuppressedERROR_RESPONSE_SUPPRESSEDThe response from the back-end server contained a 4xx or 5xx response code and was blocked. The Suppress Return Code is set to Yes on the SECURITY POLICIES > Cloaking page.NoticeOutbound Attacks
63Identity Theft Pattern MatchedIDENTITY_THEFT_PATTERN_MATCHEDThe response body (contents) from the back-end server matched an identity theft pattern on the ADVANCED > Libraries page.ErrorOutbound Attacks
61Response Header SuppressedRESPONSE_HEADER_SUPPRESSEDResponse header suppressed as it matched Headers to Filter on the SECURITY POLICIES > Cloaking page.InformationOutbound Attacks


Header Violations

Header Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
331Apache Struts Attack in HeaderAPACHE_STRUTS_ATTACKS_MEDIUM_IN_HEADERHeader value matched an Apache Struts attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
37Cross-Site Scripting in HeaderCROSS_SITE_SCRIPTING_IN_HEADERHeader value matched a Cross-Site Scripting pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertXSS Injections
35Custom Attack Pattern in HeaderCUSTOM_ATTACK_PATTERN_IN_HEADERHeader value matched a custom attack pattern defined under Attack Types on the ADVANCED > Libraries page.AlertOther Attacks
39Directory Traversal in HeaderDIRECTORY_TRAVERSAL_IN_HEADERHeader value matched a Directory Traversal pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
330HTTP Specific Attack in HeaderHTTP_SPECIFIC_ATTACKS_MEDIUM_IN_HEADERHeader value matched an HTTP specific attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
328LDAP Injection in HeaderLDAP_INJECTION_MEDIUM_IN_HEADERHeader value matched an LDAP Injection attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page. AlertInjection Attacks
7Metacharacter Matched in HeaderHEADER_META_VIOLATIONMetacharacter in header matched the Denied Metacharacters defined under Header: Allow/Deny Rules on the WEBSITES > Allow/Deny page.AlertOther Attacks
38OS Command Injection in HeaderOS_CMD_INJECTION_IN_HEADERHeader value matched an OS Command injection pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
329Python PHP Attack in HeaderPYTHON_PHP_ATTACKS_MEDIUM_IN_HEADERHeader value matched a Python PHP attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
332Remote File Inclusion in HeaderREMOTE-FILE-INCLUSION-PATTERN-IN-HEADERThe header contained a Remote file inclusion pattern that matched an attack pattern defined under the header ACL.AlertInjection Attacks
36SQL Injection in HeaderSQL_INJECTION_IN_HEADERHeader value matched an SQL injection pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertSQL Attacks


Application Profile Violations

Application Profile Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
130No Domain Match in ProfileNO_DOMAIN_MATCH_IN_PROFILEThe domain attribute of session cookie does not match the attribute specified on the WEBSITES > Website Profiles page. This is enforced when Strict Profile Check and URL Profile is set to Yes.AlertForceful Browsing
131No URL Profile MatchNO_URL_PROFILE_MATCHThe request does not match any of the configured URL Profiles on the WEBSITES > Website Profiles page. This is enforced when Strict Profile Check and URL Profile is set to Yes.AlertForceful Browsing


URL Profile Violations

URL Profile Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
327Apache Struts Attack in URLAPACHE_STRUTS_ATTACKS_MEDIUM_IN_URLThe value in a URL matched an Apache Struts attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
40Content Length ExceededCONTENT_LENGTH_EXCEEDED

The request body content exceeded the maximum allowable length defined in the URL Profile for the URL space. Max Content Length specified on:

  • SECURITY POLICIES > URL Protection,
    OR
  • WEBSITES > Website Profiles > URL Profiles  Enforced when Use Profile is set to Yes and URL Profile created.
AlertLimits Violation
167Cross-Site Scripting in URLCROSS_SITE_SCRIPTING_IN_URLThe value in a URL matched a Cross-Site Scripting pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertXSS Injections
171Custom Attack Pattern in URLCUSTOM_ATTACK_PATTERN_IN_URLThe value in a URL matched a custom attack pattern defined under Attack Types on the ADVANCED > Libraries page.AlertOther Attacks
326HTTP Specific Attack in URLHTTP_SPECIFIC_ATTACKS_MEDIUM_IN_URLThe value in a URL matched an HTTP specific attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
324LDAP Injection in URLLDAP_INJECTION_MEDIUM_IN_URLThe value in a URL matched an LDAP Injection attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
5Method Not AllowedMETHOD_NOT_ALLOWEDThe HTTP method in the request is denied as it is not configured in the Allowed Method list under URL Profile on the WEBSITES > Website Profiles page.AlertForceful Browsing
163No Param Profile MatchNO_PARAM_PROFILE_MATCHThe request failed to match the configured parameter profiles on the WEBSITES > Website Profiles page for this URL space.AlertForceful Browsing
168OS Command Injection in URLOS_CMD_INJECTION_IN_URLThe URL matched an OS command injection pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
147Parameter Name Length ExceededPARAM_NAME_LENGTH_EXCEEDEDThe length of the parameter in the request exceeds the maximum allowable length defined either on SECURITY POLICIES > URL Protection or WEBSITES > Website Profiles > URL Profiles (Only when Use Profile is set to Yes and URL Profile created).AlertOther Attacks
325Python PHP Attack in URLPYTHON_PHP_ATTACKS_MEDIUM_IN_URLThe value in a URL matched a Python PHP attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertInjection Attacks
132Query String not AllowedQUERY_STR_NOT_ALLOWEDRequest blocked because a query string was detected in the URL. Enforced when query strings disallowed on WEBSITES > Website Profile > URL Profiles.AlertForceful Browsing
170Remote File Inclusion in URLREMOTE_FILE_INCLUSION_IN_URLThe URL matched a Remote File Inclusion pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.
AlertInjection Attacks
161Session not FoundSESSION_NOT_FOUNDThe Barracuda Web Application Firewall maintains a session for every form and URL fetched by the client when CSRF is enabled. If the request does not have the valid session token embedded in it, the Barracuda Web Application Firewall logs it as session not found.AlertForceful Browsing
166SQL Injection in URLSQL_INJECTION_IN_URLThe URL matched an SQL injection pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertSQL Attacks
149Too Many ParametersTOO_MANY_PARAMSThe parameters in a GET query string and/or in the request body in a POST request exceeded MAX Parameters on the SECURITY POLICIES > URL Protection page.AlertDDOS Attacks
148Too Many Uploaded FilesTOO_MANY_UPLOADED_FILES

The request exceeds the maximum number of form parameters that can be of file-upload type. Max Upload Files specified on:

  • SECURITY POLICIES > URL Protection exceeded,
    OR
  • WEBSITES > Website Profiles > URL Profiles exceeded. This is only when Use Profile is set to Yes and URL Profile created.
AlertDDOS Attacks
26Unknown Content TypeUNKNOWN_CONTENT_TYPEThe content type in the POST body of the URL does not match any Allowed Content Types under URL Profile on the WEBSITES > Website Profiles page.AlertInjection Attacks


Parameter Profile Violations

Parameter Profile Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
323Apache Struts Attack in ParameterAPACHE_STRUTS_ATTACKS_MEDIUM_IN_PARAMThe parameter matched an Apache Struts attack pattern in the associated Parameter Class of the parameter profile on the WEBSITES > Website Profiles page, or in the SECURITY POLICIES > Parameter Protection page (if no parameter profile).AlertInjection Attacks
165

Cross-Site Request Forgery

CROSS_SITE_REQUEST_FORGERYThe state parameter 'ncforminfo' was not found or was found tampered in the form that matched the URL profile.AlertForceful Browsing
158

Cross-Site Scripting in Parameter

CROSS_SITE_SCRIPTING_IN_PARAM

The parameter matched a cross-site scripting attack pattern in the associated Parameter Class of the parameter profile on the WEBSITES > Website Profiles page, or in the SECURITY POLICIES > Parameter Protection page (if no parameter profile).

AlertXSS Injections
155

Custom Attack Pattern in Parameter

CUSTOM_ATTACK_PATTERN_IN_PARAM

The parameter matched a custom attack pattern in the associated Parameter Class of the parameter profile on the WEBSITES > Website Profiles page or in the SECURITY POLICIES > Parameter Protection page (if no parameter profile).

AlertOther Attacks
160

Directory Traversal in Parameter

DIRECTORY_TRAVERSAL_IN_PARAM

The parameter matched a directory traversal pattern in the associated Parameter Class of the parameter profile on the WEBSITES > Website Profiles page or in the SECURITY POLICIES > Parameter Protection page (if no parameter profile).

AlertInjection Attacks
151

File Upload Size Exceeded

FILE_UPLOAD_SIZE_EXCEEDED

The uploaded file in the request exceeds the Maximum Upload File Size on the SECURITY POLICIES > Parameter Protection page.

AlertDDOS Attacks
150

Forbidden File Extension

FILE_EXTENSION_NOT_ALLOWED

The extension of the uploaded file does not match any configured extension in File Upload Extensions on the:

  • SECURITY POLICIES > Parameter Protection page,
    or
  • WEBSITES > Website Profiles > Parameter Profile section.
AlertInjection Attacks
296Forbidden File Mime TypeFILE_MIME_TYPE_NOT_ALLOWED

The extension of the uploaded file does not match any configured extension in File Upload Mime Types on the:

  • SECURITY POLICIES > Parameter Protection page,
    or
  • WEBSITES > Website Profiles > Parameter Profile section.
AlertFile Attacks
322HTTP Specific Attack in ParameterHTTP_SPECIFIC_ATTACKS_MEDIUM_IN_PARAMThe parameter matched an HTTP specific attack pattern in the associated Parameter Class of the parameter profile on the WEBSITES > Website Profiles page, or on the SECURITY POLICIES > Parameter Protection page (if no parameter profile).AlertInjection Attacks
320LDAP Injection in ParameterLDAP_INJECTION_MEDIUM_IN_PARAMThe parameter matched an LDAP Injection attack pattern in the associated Parameter Class of the parameter profile on the WEBSITES > Website Profiles page, or on the SECURITY POLICIES > Parameter Protection page (if no parameter profile).AlertInjection Attacks
138

Mandatory Parameter Missing

MISSING_MANDATORY_PARAM

The URL request lacks a required parameter. The Parameter profile associated with the URL profile has Required set to Yes under Parameter Profiles on the WEBSITES > Website Profiles page.

AlertInjection Attacks
137

Maximum Instances of Parameter Exceeded

TOO_MANY_PARAM_INSTANCES

The instances of a parameter exceeds Maximum Instances on the:

  • SECURITY POLICIES > Parameter Protection page,
    or
  • WEBSITES > Website Profiles > Parameter Profile section.
AlertDDOS Attacks
152

Metacharacter in Parameter

METACHARACTER_IN_PARAMETER

The parameter contained a metacharacter that matched an attack pattern in the Parameter Class associated with the Parameter profile on the WEBSITES > Website Profiles page, or on the SECURITY POLICIES > Parameter Protection page (if no parameter profile).

AlertOther Attacks
159

OS Command Injection in Parameter

OS_CMD_INJECTION_IN_PARAM

The parameter contained an OS command injection pattern that matched an attack pattern in the Parameter Class associated with the Parameter profile on the WEBSITES > Website Profiles page, or on the SECURITY POLICIES > Parameter Protection page (if no parameter profile).

AlertInjection Attacks
156

Parameter Input Validation Failed

PARAM_INPUT_VALIDATION_FAILED

The parameter failed to match input type validation configured under Parameter Profiles on the WEBSITES > Website Profiles page.

AlertInjection Attacks
154

Parameter Length Exceeded

PARAM_LENGTH_EXCEEDED

The parameter value in the request exceeded the Maximum Parameter Value Length on the:

  • SECURITY POLICIES > Parameter Protection page,
    or
  • WEBSITES > Website Profiles > Parameter Profile section.
AlertLimits Violation
139

Parameter Value not Allowed

PARAM_VAL_NOT_ALLOWED

The Global Choice parameter did not match values configured under Parameter Profiles on the WEBSITES > Website Profiles page.

AlertInjection Attacks
321Python PHP Attack in ParameterPYTHON_PHP_ATTACKS_MEDIUM_IN_PARAMThe parameter matched a Python PHP attack pattern in the associated Parameter Class of the parameter profile on the WEBSITES > Website Profiles page, or on the SECURITY POLICIES > Parameter Protection page (if no parameter profile).AlertInjection Attacks
134

Read-Only or Hidden Parameter Tampered

READ_ONLY_PARAM_TAMPERED

The read-only parameter did not match the value learned by the Barracuda Web Application Firewall based on the form sent to the browser.

AlertInjection Attacks
164

Remote File Inclusion

REMOTE_FILE_INCLUSION

The parameter contained a remote file inclusion pattern that matched an attack pattern in the Parameter Class associated with the Parameter profile on the WEBSITES > Website Profiles page, or on the SECURITY POLICIES > Parameter Protection page (if no parameter profile).

AlertInjection Attacks
136

Session Choice Parameter Tampered

SESSION_CHOICE_PARAM_TAMPERED

The session choice parameter did not match the value learned by the Barracuda Web Application Firewall based on the form sent to the browser for this session.

AlertSession Tamper Attacks
162

Session Context not Found

SESSION_CONTEXT_NOT_FOUND

The session parameter (parameter type=read-only, session-choice or session-invariant) value does not match the learned value in the parameter profile, indicating possible tampering with the session parameter value.

AlertForceful Browsing
135

Session Invariant Parameter Tampered

SESSION_INVARIANT_PARAM_TAMPERED

The session-invariant parameter did not match the value learned by Barracuda Web Application Firewall based on the form sent to the browser for this session.

AlertSession Tamper Attacks
157

SQL Injection in Parameter

SQL_INJECTION_IN_PARAM

The parameter matched an SQL injection pattern in the Parameter Class associated with the Parameter profile on the WEBSITES > Website Profiles page.

AlertSQL Attacks


Advanced Policy Violations

Advanced Policy Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
341Barracuda Blocklist Policy Matchedgrip-validation-failedIncoming request is from IP addresses that have been identified as potential originators of spam, malware and bots by Barracuda Networks' threat intelligence engine.AlertForceful Browsing
146Brute force from All SourcesBRUTE_FORCE_FROM_ALL_SOURCESRequests from all sources are blocked when Max Allowed Accesses From All Sourcesis exceeded in the Count Window under Edit Bruteforce Prevention on the WEBSITES > Advanced Security page.AlertDDOS Attacks
145Brute force from IPBRUTE_FORCE_FROM_IPRequests from a particular IP address are blocked whenMax Allowed Accesses Per IP is exceeded in the Count Window under Edit Bruteforce Prevention on the WEBSITES > Advanced Security page.AlertDDOS Attacks
299Unanswered CAPTCHA Limit ExceededDDOS_CAPTCHA_MAX_UNANSWERED_EXCEEDEDThe number of client attempts to fetch the CAPTCHA image exceeded Max Unanswered CAPTCHA on the WEBSITES > DDoS Prevention page.AlertDDOS Attacks
297CAPTCHA Attempt Limit ExceededDDOS_CAPTCHA_TRIES_EXCEEDEDThe number of client attempts to solve a CAPTCHA challenge exceeded Max CAPTCHA Attempts on the WEBSITES > DDoS Prevention page.AlertDDOS Attacks
298CAPTCHA Session Limit Exceeded

DDOS_CAPTCHA_MAX_NODES_EXCEEDED

The client request IP address has exceeded the CAPTCHA session limit.

For a CAPTCHA enabled service, the client must answer a CAPTCHA challenge before accessing the service. Each CAPTCHA challenge sent to the client, is maintained in a session table for that client (based on the IP address). The CAPTCHA Session Limit for an IP address is 512 (hard coded limit). If the client attempts to append more than 512 sessions (concurrent CAPTCHA answered sessions), the request is denied with an error "CAPTCHA-Max-Sessions-Exceeded".

If multiple clients access the CAPTCHA protected service from the same network, or if there is a device doing Source NAT in front of the Barracuda Web Application Firewall and more than 512 clients accessing the service, the 513th client may see the “CAPTCHA Session Limit Exceeded” error. Client access could be granted when an existing session expires (by an idle time).

AlertDDOS Attacks
342GeoIP Policy Matched

GEO_IP_BLOCKED

Incoming request has an IP Address from a country that does not have permissions to access the resource.AlertForceful Browsing
12Invalid URL Character SetINVALID_URL_CHARSETRequest contained invalid character for configured character set. The relevant character set is determined using several configuration elements like Default Character Set, Detect Response Charset and Response Charset.WarningInjection Attacks
75Rate Control IntrusionRATE_CONTROL_INTRUSIONThe rate of requests exceeds Maximum Active Requests and Maximum Per Client Backlog of the rate control pool associated with the Service.AlertDDOS Attacks
293Secure BrowsingSECURE_BROWSINGUnable to validate session key in a request matching the URL specified in Secure Browsing policies.AlertForceful Browsing
295Slowloris AttackSLOWLORIS_ATTACKSlowloris attack detected. Request exceeded Max Request Timeout and Incremental Request Timeout for the Service under Slow Client Prevention on the WEBSITES > DDoS Prevention page.AlertDDOS Attacks
302 Slow Read AttackSLOW_READ_ATTACKSlow Read Attack detected. Response exceeded Max Response Timeout and Incremental Response Timeout for the Service under Slow Client Prevention on the WEBSITES > DDoS Prevention page.AlertDDOS Attacks
343Tor Node Policy MatchedTOR-IP-BLOCKED

IP address for the incoming request matched the IP address of a ToR exit node.

AlertForceful Browsing
301URL EncryptionURL_ENCRYPTIONRequest violated the URL encryption policy configured in the WEBSITES > URL Encryption page.AlertForceful Browsing
204Virus FoundVIRUS_IN_POST_REQUESTVirus detected in uploaded file. All files uploaded through multipart/form-data messages are scanned for viruses.  Requests containing virus signatures are denied when Enable Virus Scan is set to Yes under Advanced Security on the WEBSITES > Advanced Security page.AlertFile Attacks
338   Web Scraping BotsWS_BOTSRequest violated the web scraping policy configured in the WEBSITES > Web Scraping page.Alert

Forceful Browsing

339Web Scraping Fake BotsWS_FAKE_BOTSRequest violated the web scraping policy configured in the WEBSITES > Web Scraping page.Alert Forceful Browsing


XML Firewall DoS Violations

XML Firewall DoS Violations
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
185DTD FoundXDOS_DTDAn XML service rejected a SOAP message containing Document Type Definition (DTD), which is NOT allowed by the SOAP standard.Block DTDs is set to Yes on the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
187External URI Reference FoundXDOS_EXT_ENTITYRequest contains external entities including external URI references or external DTDs. Block External Entities is set to Yes on the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
188Malformed XMLXDOS_MALFORMED

An XML parser detected a malformed XML document. A malformed XML document contains illegal characters, mismatched element tags (a starting tag with no matching ending tag) or trailing content after the document element. 

AlertXML Violations
178Max Attribute Name Length ExceededXDOS_MAX_ATTRIBUTE_NAME_LENGTHThe XML document exceeds the maximum attribute name length limit specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
179Max Attribute Value Length ExceededXDOS_MAX_ATTRIBUTE_VALUE_LENGTHThe XML document exceeds the maximum attribute value length limit specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
182Max Document Size ExceededXDOS_MAX_FILE_SIZEThe XML document exceeds the maximum document size limit specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
177Max Element Attributes ExceededXDOS_MAX_ATTRIBUTESThe XML document exceeds the maximum allowable attributes of an element specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
184Max Element Children ExceededXDOS_MAX_ELEMENT_CHILDRENThe XML document exceeds the maximum allowable children per node in a tree specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
175Max Element Name Length ExceededXDOS_MAX_ELEMENT_NAME_LENGTHThe XML document exceeds the maximum allowable length for the name of an element specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
176Max Elements in Tree ExceededXDOS_MAX_ELEMENTSThe XML document exceeds the maximum allowable number of nodes/elements in a tree specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
181Max Text Size ExceededXDOS_CDATA_LENGTHThe XML document exceeds the maximum allowable size of the XML document.AlertXML Violations
174Max Tree Depth ExceededXDOS_MAX_ELEMENT_DEPTHThe XML document exceeds the maximum allowable nesting depths of nodes specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
183Min Document Size LimitXDOS_MIN_FILE_SIZEThe XML document exceeds the minimum allowable size of the XML document specified in the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations
186Processing Instructions FoundXDOS_PIRequest contains Processing Instructions (PIs).  A PI is a text data section ignored by the XML parser and passed on as instructions to applications. Block Processing Instructions is set to Yes on the WEBSITES > XML Protection > XML Validation Settings section.AlertXML Violations


XML Firewall WSI Assertions

XML Firewall WSI Assertions
Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
211DOCTYPE ElementXML_WSI1007The SOAP message contains a DOCTYPE element in the request. WSI1007: Message Should Not Include SOAP:Header or SOAP:Body elements as Defined in the included DTD is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
228Message Contains a WS-I Conformance Claim with a “SOAP:MustUnderstand” AttributeXML_WSI1111The SOAP message contains a WS-I conformance claim with a “soap:mustUnderstand” attribute. WSI1111: WS-I Conformance Claims Should Not Contain the SOAP:MustUnderstand Attribute is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
227WS-I Conformance Claim Does Not Adhere to the WS-I Conformance Claim SchemaXML_WSI1110The SOAP message contains a WS-I conformance claim which fails to adhere to the WS-I conformance claim schema. WSI1110: WS-I Conformance Claims Should Adhere to the WS-I Conformance Claim Schema is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
226Message Contains a WS-I Conformance Claim Which is Not a Child of the “SOAP:Header” ElementXML_WSI1109The SOAP message contains a WS-I conformance claim which is not a child of the "SOAP:Header" element.WSI1109: WS-I Conformance Claim Should be a Child of the SOAP:Header Element is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
219Attributes in SOAP Envelope Header BodyXML_WSI1032Message contains attributes in the envelope, header and body portion of the data. WSI1032: SOAP:Envelope, SOAP:Header and SOAP:Body Elements Should Not Have Attributes in Namespace is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
240EncodingStyle in Envelope Namespace ElementsXML_WSI1307Message contains "soap:encodingStyle" attributes on any elements whose namespace is http://schemas.xmlsoap.org/soap/envelope/. WSI1307: SOAP:Envelope Namespace Elements Should Not Have the SOAP:EncodingStyle Attribute is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
244EncodingStyle Attribute Found in Grandchild of SOAP BodyXML_WSI1318The message in an rpc-literal binding contains "soap:encodingStyle" attribute on an element that is a grandchild of “soap:body”. WSI1318: Grandchildren of SOAP:Body Should Not Have the SOAP:EncodingStyle Attribute is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
220Envelope Namespace is 1998XML_WSI1033The message with an envelope contains the namespace declaration xmlns:xml=http://www.w3.org/XML/1998/namespaceWSI1033: SOAP:Envelope Namespace Should Not be 1998 is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
245SOAP:Envelope or SOAP:Body Does Not Conform to XML 1.0XML_WSI1601The message with "soap:envelope" or "soap:body"  does not conform to XML 1.0. WSI1601: SOAP:Envelope and SOAP:Body Should Conform to XML 1.0 is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
246Envelope Does Not Conform to SOAP SchemaXML_WSI1701The message whose "soap:envelope" does not conform to the SOAP schema. WSI1701: SOAP:Envelope Should Conform to the SOAP Schema is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
242SOAP:Envelope Has a Direct Child After the "SOAP:Body" ElementXML_WSI1309The message contains element children of "soap:Envelope" following the "soap:Body" element. WSI1309: SOAP:Envelope Should Not Have Direct Children After the SOAP:Body Element is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
225Message Contains Undefined “SOAPBind:Fault” Element(s)XML_WSI1107A fault detected in the message which is not defined in wsdl:binding. A wsdl:binding should contain a "soapbind:fault" describing each known fault. WSI1107: Fault Response Should be Defined in WSDL:Binding is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
218SOAP 1.1 Dot Notation is Used By the “SOAP:Fault” ElementXML_WSI1031The message contains a faultcode element with dot (.) notation. WSI1031: SOAP:Fault Element Should Not Use SOAP 1.1 Dot Notation is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
221Good Response is Not Using HTTP 200 OKXML_WSI1100The SOAP message does not contain soap:Fault and does not use 200 OK HTTP Status code for responses. WSI1100: Good Response Uses HTTP 200 OK Status is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
206Message is Not Sent Using HTTP1.0 or HTTP1.1XML_WSI1002Message not sent using HTTP version 1.0 or 1.1. WSI1002: Message Should be Sent using HTTP 1.1 or HTTP 1.0 is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
205Message is Not Sent Using HTTP1.1XML_WSI1001Message not sent using HTTP version 1.1. WSI1001: Message Should be Sent Using HTTP 1.1 is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
207Message is Not UTF8 or UTF16XML_WSI1003The XML schema in the request is not using UTF-8 or UTF16 encoding. WSI1003: Message is UTF-8 or UTF-16 is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
230SOAP:Envelope Does Not Have v1.1 NamespaceXML_WSI1201Message contains a soap:Envelope with a document element “Envelope”, but the namespace name is not http://schemas.xmlsoap.org/soap/envelope/. WSI1201: SOAP:Envelope Should Have v1.1 Namespace is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
213Message Does Not Include All HeadersXML_WSI1009Message does not contain all the "soapbind:headers" specified in the WSDL file. WSI1009: Message Should Include All Specified Headers is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
212Message Part Accessors Have No NamespaceXML_WSI1008Name space not defined in the incoming soap message. WSI1008: Message Part Accessor Elements in Parameters and Return Value Should Have Proper Namespace is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
236Attribute “MustUnderstand” is neither 1 nor 0XML_WSI1301Message with a "soap:mustUnderstand" value of neither 1 nor 0. WSI1301: Attribute "MustUnderstand" Value Should be Either "1" or "0" is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
216SOAP:Fault Not Generated for Bad Envelope NamespaceXML_WSI1012A soap:Fault not generated for a document element named "Envelope" where the namespace name is not "http://schemas.xmlsoap.org/soap/envelope/". WSI1012: SOAP:Fault Should be Generated for Bad Envelope Namespace is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
223Non POST Request Does Not Contain 405 HTTP Status CodeXML_WSI1103A SOAP message sent as part of a non-POST method request received an HTTP response with status code other than 405. WSI1103: Response to a Non POST Request Should Contain 405 HTTP Status Code is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
224Non XML Request Does Not Contain 415 HTTP Status CodeXML_WSI1104A SOAP message sent as part of non-XML request received an HTTP response with status code other than 415. WSI1104: Response to Non XML Request Should Contain 415 HTTP Status Code is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
214One-Way Response Contains a SOAP:EnvelopeXML_WSI1010An HTTP one-way response contains a SOAP envelope (that is, HTTP entity-body is not empty). WSI1010: One-Way Response Should Not Contain a SOAP:Envelope is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
235Part Accessors Have “xsi: nil” AttributeXML_WSI1211Message with rpc-literal binding contains xsi:nil attribute with value of “1” or ‘true’ on the part accessors. WSI1211: Part Accessors Should Not Have "xsi: nil" Attribute with Value "1" or "True" is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
222Processed Response Status is Neither 200 nor 202XML_WSI1101Response message without embedded SOAP message. WSI1101: Processed Response Should Use Either 200 or 202 HTTP Status Code is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
215Request Does Not Match the WSDL:DefinitionXML_WSI1011Content of request message does not conform to the WSDL file definition. WSI1011: Request Content Should Match WSDL:Definition is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
208Request Message is Not an HTTP POST MessageXML_WSI1004Message not sent using the HTTP POST method. WSI1004: Request Message Should be an HTTP POST Message is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
209Response Wrapper Does Not Match the Name Attribute on WSDL:OperationXML_WSI1005Wrapper element in the response message does not match the name attribute on the wsdl:operation element concatenated by the string "Response". A response with a wrapper not named after the wsdl:operation name. WSI1005: Response Wrapper Should Match the Name Attribute on WSDL:Operation is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
217Response Does Not Match the WSDL:DefinitionXML_WSI1013The content of the response message does not conform to the WSDL file definition. WSI1013: Response Content Should Match WSDL:Definition is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
231Children Elements in SOAP:Body are Not Namespace QualifiedXML_WSI1202Message with a child element of the soap:Body element is not namespace qualified. WSI1202: Children Elements in SOAP:Body Should be Namespace Qualified is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
241Children Elements in SOAP:Body Have “SOAP:EncodingStyle” AttributeXML_WSI1308Message with a child element of the soap:Body element has a soap:encodingStyle attribute. WSI1308: Children Elements of SOAP:Body Should Not Have the SOAP:EncodingStyle Attribute is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
243SOAP:Fault Children are QualifiedXML_WSI1316Message contains a "soap:Fault" element with a qualified child element. WSI1316: SOAP:Fault Children Should be Unqualified is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
239SOAP:Fault Children Elements are Not Namespace QualifiedXML_WSI1306SOAP message has one or more "soap:Fault"  non standard children elements, i.e., the child element(s) is neither soap:faultcode, soap:faultstring, soap:faultactor nor soap:detail. WSI1306: SOAP:Fault Children Elements Should be Namespace Qualified is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
232SOAP:Fault Has Non-Foreign NamespaceXML_WSI1203The soap:Fault message contains detail element with qualified attributes, but with a non-foreign namespace. Non-foreign namespace means the namespace should be anything other than “http://schemas.xmlsoap.org/soap/envelope/". WSI1203: Namespace on the Detail Element in the SOAP:Fault Should be a Foreign Namespace is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
238SOAP:Fault Message Not Found in the HTTP 500 ResponseXML_WSI1305The SOAP fault response message does not have "500 Internal Server Error" HTTP status code.  WSI1305: SOAP:Fault Message Should Contain HTTP 500 Error Code is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
237SOAP:Faultcode is Not Standard or Namespace QualifiedXML_WSI1302Message contains a faultcode element which is neither a fault code defined in SOAP 1.1 nor a namespace qualified fault code. WSI1302: SOAP:Faultcode Should be Standard or Namespace Qualified is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
229SOAPAction Header Does Not Contain the Correct String ValueXML_WSI1116SOAP message whose SOAPAction HTTP header field does not match the WSDL soapAction attribute in soapbind:operation (either the same value or a blank quoted string if not present). WSI1116: SOAPAction Header Should Match the SOAPBind:Operation/@SOAPAction Attribute is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
210SOAPAction Header Does Not Contain Quoted StringXML_WSI1006The value of the "SOAPAction" HTTP header field in an HTTP request is not a quoted string. WSI1006: SOAPAction Header Should Contain Quoted String is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
233SOAP: Body Contains the “SOAPEnc:ArrayType” AttributeXML_WSI1204Message contains a faultcode element which is neither a fault code defined in SOAP 1.1 nor a namespace qualified fault code. WSI1302: SOAP:Faultcode Should be Standard or Namespace Qualified is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.AlertXML Violations
234SOAP Message Contains XML Processing InstructionsXML_WSI1208

SOAP message contains XML Processing instructions. WSI1208: SOAP Message Should Not Include XML Processing Instructions is set to Yes on the WEBSITES > XML Protection > WS-I Basic Profile Assertions section.

AlertXML Violations


XML Firewall SOAP Violations

XML Firewall SOAP Violations

Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
193

Additional SOAP Headers rcvd

XML_VALIDATION_WSDL_SOAP_UNKNOWN_HEADERSSOAP message contains additional headers not specified in the WSDL file. Allow Additional SOAP Headers is set to Yes on the WEBSITES > XML Protection > SOAP Validations section.AlertXML Violations
192

Invalid SOAP Body

XML_VALIDATION_WSDL_SOAP_HEADERS

SOAP message body does not conform to the schema defined in the WSDL file. Validate SOAP body from WSDL schema is set to Yes on the WEBSITES > XML Protection > SOAP Validations section.

AlertXML Violations
190

Invalid SOAP Envelope

XML_VALIDATION_WSDL_SOAP_ENVELOPE

SOAP message with soap:envelope does not conform to the SOAP standard. Validate SOAP Envelope is set to Yes on the WEBSITES > XML Protection > SOAP Validations section.

AlertXML Violations
191

Invalid SOAP Header

XML_VALIDATION_WSDL_SOAP_BODY

SOAP message contains a header that does not conform to the policies defined in the WSDL file. Validate SOAP headers defined in WSDL is set to Yes on the WEBSITES > XML Protection > SOAP Validations section.

AlertXML Violations


JSON Policy Violations

JSON Policy Violations

Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
309Max Array Values ExceededJSON_MAX_ARRAY_VALUESA JSON request exceeded the maximum allowable number of elements in a array specified in Max Array Elements on the WEBSITES > JSON Security page.Alert

JSON Violations

305Max Key Length ExceededJSON_MAX_KEY_LENGTHA JSON request exceeded the maximum allowable length for JSON keys specified in Max Key Length on the WEBSITES > JSON Security page.Alert

JSON Violations

310Max Number Value ExceededJSON_MAX_NUMBER_VALUE

A JSON request exceeded the maximum allowable value for JSON Number datatype specified in Max Number Value on the WEBSITES > JSON Security page.

Alert

JSON Violations

307Max Object Child ExceededJSON_MAX_OBJECT_CHILDA JSON request exceeded the maximum allowable number of elements in a single JSON object specified in Max Child on the WEBSITES > JSON Security page.Alert

JSON Violations

306Max Object Keys ExceededJSON_MAX_OBJECT_KEYSA JSON request exceeded the maximum allowable keys specified in Max Keys on the WEBSITES > JSON Security page.Alert

JSON Violations

308Max Value Length ExceededJSON_MAX_VALUE_LENGTHA JSON request exceeded the maximum allowable length for JSON string value specified in Max Value Length on the WEBSITES > JSON Security page.Alert

JSON Violations

304Object Depth ExceededJSON_MAX_OBJECT_DEPTHA JSON request exceeded the maximum allowable depth for nested JSON structure specified in Max Tree Depth on the WEBSITES > JSON Security page.Alert

JSON Violations


JSON Profile Violations

JSON Profile Violations

Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
313Malformed JSONJSON_MALFORMEDA request not conforming to the JSON RFC specifications was detected.Alert

JSON Violations

336Apache Struts Attack in JSON DataAPACHE_STRUTS_ATTACKS_IN_JSON_PARAMThe key/value in JSON data matched an Apache Struts attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertJSON Violations
315Cross-Site Scripting in JSON DataXSS_INJECTION_IN_JSON_PARAMThe key/value in JSON data matched a Cross-Site Scripting pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.Alert

JSON Violations

319Custom Attack Pattern in JSON DataCUSTOM_ATTACK_PATTERN_IN_JSON_PARAMThe key/value in JSON data matched a custom attack pattern defined under Attack Types on the ADVANCED > Libraries page.Alert

JSON Violations

317Directory Traversal Attack in JSON DataDIRECTORY_TRAVERSAL_IN_JSON_PARAMThe key/value in JSON data matched a Directory Traversal pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.Alert

JSON Violations

335HTTP Specific Attack in JSON DataHTTP_SPECIFIC_ATTACKS_IN_JSON_PARAMThe key/value in JSON data matched an HTTP specific attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertJSON Violations
333LDAP Injection in JSON DataLDAP_INJECTION_IN_JSON_PARAMThe key/value in JSON data matched an LDAP Injection attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertJSON Violations
316OS Command Injection in JSON DataOS_CMD_INJECTION_IN_JSON_PARAMThe key/value in JSON data matched an OS Command Injection pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.Alert

JSON Violations

334Python PHP Attack in JSON DataPYTHON_PHP_ATTACKS_IN_JSON_PARAMThe key/value in JSON data matched a Python PHP attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.AlertJSON Violations
318Remote File Inclusion in JSON DataRFI_VIOLATION_IN_JSON_PARAMThe key/value in JSON data matched a Remote File Inclusion pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.Alert

JSON Violations

314SQL Injection in JSON DataSQL_INJECTION_IN_JSON_PARAMThe key/value in JSON data matched an SQL Injection pattern defined under Attack Types on the ADVANCED > View Internal Patterns page.Alert

JSON Violations

340JSON Key Validation Failedjson-key-validation-failed

The Request does not match with the JSON Key Profile configured on the WEBSITES > JSON Security page.

OR

The request failed to match the configured JSON Key profile on the WEBSITES > JSON Security page.

AlertJSON Violations


Client Violations

Client Violations
Attack ID Attack NameAttack Name in Export Logs Description Severity Attack Category

346

Brute force from Fingerprint 

BRUTE_FORCE_FROM_FINGERPRINT

Identify Brute Force attacks based on the Client Fingerprint. The Client Fingerprint identifies a specific client down to the browser level, and is useful to identify an individual client from behind an IP. This ensures that an entire NAT’ed IP is not blocked, and only a specific attacking client is blocked.  

Alert

   
advanced-policy-violations
401 Referer Spam    

REFERER_SPAM

Identifies bots based on the Referrer header using the SPAM URL list in the Referrer Spam settings. This ensures that your analytics are not skewed by such bots visiting your sites.

Alert 

Bot-mitigation-violations

402 

Comment Spam

Comment_SPAM

Block spam comments on your web application based on the list of terms in the Spam URL list.

Alert

Bot-mitigation-violations

403 

Blocklisted Category

BLOCKLISTED_CATEGORY

Provides the list of blocklisted clients that should be blocked by Barracuda WAF.

Alert

Bot-mitigation-violations

404 

Credential Stuffing Detected

CREDENTIAL_STUFFING_DETECTED

When configured, this validates incoming username/password pairs against the cloud-based Credential Stuffing detection database. If the credentials are already in the database, this attack id is generated.

Alert

Bot-mitigation-violations
405 Credential Spraying Detected CREDENTIAL_SPRAYING_DETECTEDWhen configured, WAF checks the incoming usernames and passwords independently on the databases. Alert Bot-mitigation-violations

421 

Fingerprint Challenges Exceeded

FINGERPRINT_CHALLENGES_EXCEEDED

The client that did not allow itself to be fingerprinted even after multiple attempts from the WAF

Alert

Bot-mitigation-violations
422

Missing Referer Header

MISSING_REFERER_HEADER

The attack generated when “Referer” header is not present in the request.

Alert

Protocol Violations

423 

Missing Referer Domain

MISSING_REFERER_DOMAIN

The attack generated when “Referer” header is present but there is no domain specified in the “Referer” field.

Alert

Protocol Violations

424

Referer Domain Not Matching Host

REFERER_DOMAIN_NOT_MATCHING_HOST

The attack generated when "Referer” domain doesn’t match with the “Host” header present in the request.

Alert

Protocol Violations

425

Missing UserAgent Header

MISSING_USERAGENT_HEADER

The attack generated when “User-Agent” header is not present in the request.

Alert

Protocol Violations

426

   

Fingerprint Risk Level Bad Client

FINGERPRINT_RISK_LEVEL_BAD_CLIENT

Client is marked bad as client is having higher risk score than configured for Risk Score Level for Bad Clients on the SECURITY POLICIES > Client Profile page.

Alert

Client-violations

427

Fingerprint Risk Level Suspected Client

FINGERPRINT_RISK_LEVEL_SUSPECTED_CLIENT

Client is marked suspected as client is having higher risk score than configured for Risk Score Level for Suspected Clients on the SECURITY POLICIES > Client Profile page.

Alert

Client-violations
428Tarpit clientTARPIT_CLIENTWhen configured, t he clients are put into Tarpit. Clients whose risk scores have crossed the suspicious value for the time specified in Tarpit Inactivity Timeout are put into Tarpit .AlertClient-violations
429Form SpamFORM_SPAMWhen configured, WAF provides protection against fake/automated form submissions. WAF looks into the real-time traffic passing through it and learns all the static Forms and its parameters.Alert Bot-mitigation-violations
460ATO Deviation Low DetectedATO_DEVIATION_LOW_DETECTEDWhen allowed deviation is configured as LOW, various parameters are evaluated to generate a risk score for a client. If risk score exceeds the low deviation (40), this attack is generated. If slack/email and Webhook are configured, a notification is sent to the WAF administrator over slack/email and by HTTP-POST to the Webhook URL.AlertClient-violations
461ATO Deviation Medium DetectedATO_DEVIATION_MEDIUM_DETECTEDWhen allowed deviation is configured as MEDIUM, various parameters are evaluated to generate a risk score for a client. If risk score exceeds the low deviation (60), this attack is generated. If slack/email and Webhook are configured, a notification is sent to the WAF administrator over slack/email and by HTTP-POST to the Webhook URL.AlertClient-violations
462ATO Deviation High DetectedATO_DEVIATION_HIGH_DETECTEDWhen allowed deviation is configured as HIGH, various parameters are evaluated to generate a risk score for a client. If risk score exceeds the low deviation (80), this attack is generated. If slack/email and Webhook are configured, a notification is sent to the WAF administrator over slack/email and by HTTP-POST to the Webhook URL.AlertClient-violations


Below is the list of attacks that are logged in the BASIC > Web Firewall Logs page, but are not part of the action policy list:

Attack IDAttack NameAttack Name in Export LogsDescriptionSeverityAttack Category
1Deny ACL matchedDENY_ACL_MATCHED

The URL in the request matched the Deny ACL rule configured in the WEBSITES > Allow/Deny > URL: Allow/Deny Rules section, or in the SECURITY POLICIES > Global ACLs page. 

AlertForceful Browsing
303Session timed outSESSION_TIMEOUT_EXCEEDEDThe request exceeded the idle time specified for a session in Session Timeout on the BASIC > Services pageAlertDDOS Attacks
56Redirect ACL matchedREDIRECT_ACL_MATCHEDThe URL in the request matched the redirect ACL rule configured in the WEBSITES > Allow/Deny > URL: Allow/Deny Rules section, or in the SECURITY POLICIES > Global ACLs page.InformationOther Attacks
78Access Control cookie expiredACCESS_CONTROL_COOKIE_EXPIREDThe session cookie for the authenticated user exceeded the idle time specified in Idle Timeout under Authentication on the ACCESS CONTROL > Authentication Policies page.WarningAuth Attacks
79Access Control cookie invalidACCESS_CONTROL_COOKIE_INVALIDThe session cookie sent by the client is invalid.WarningAuth Attacks
80Access Control access deniedACCESS_CONTROL_ACCESS_DENIEDThe authenticated user is denied access to the requested resource as the user is not configured in Allowed Users or Allowed Groups under Authorization on the ACCESS CONTROL > Authorization Policies page.WarningAuth Attacks
81Access Control no cookie foundACCESS_CONTROL_NO_COOKIESession cookie not found in the request to access the restricted resource. The user is not authenticated to access the requested resource.WarningAuth Attacks
113Blocked by FTP command-blocking policyFTP_COMMAND_BLOCKEDThe FTP command in the request does not match the commands configured in FTP Allowed Verbs on the WEBSITES > FTP Security page.AlertOther Attacks
292Virus ScanVIRUS_SCANThe scan of the uploaded file detected no virus. All files uploaded through multipart/form-data messages are scanned for viruses.  Requests containing virus signatures are denied when Enable Virus Scan is set to Yes under Advanced Security on the WEBSITES > Advanced Security page.NoticeFILE Attacks

GraphQL Violations

Attack ID Attack Name Attack Name in Export Logs Description Severity Attack Category
439GraphQL Batch Queries Not AllowedGRAPHQL_BATCH_QUERY_NOT_ALLOWEDGraphQL request payload containing a batch query is not allowed as per the configuration in GraphQL Profile matching this request.AlertGraphQL Violations
440GraphQL Introspection Query Not AllowedGRAPHQL_INTROSPECTION_QUERY_NOT_ALLOWEDGraphQL request payload contained a meta field (Introspection Query) is not allowed as per the configuration in GraphQL Profile matching this request.AlertGraphQL Violations
441GraphQL Query Depth ExceededGRAPHQL_QUERY_DEPTH_EXCEEDEDGraphQL request payload contained a query that exceeds the maximum allowed depth configured in GraphQL Profile matching this request.AlertGraphQL Violations
442GraphQL Query Batch Size ExceededGRAPHQL_BATCH_QUERY_SIZE_EXCEEDEDGraphQL request payload containing a batch query that exceeds the maximum batch size configured in GraphQL Profile matching this request.AlertGraphQL Violations
443GraphQL Request Payload Length ExceededGRAPHQL_REQ_PAYLOAD_LENGTH_EXCEEDEDGraphQL request payload length exceeded the maximum allowed length configured in GraphQL Profile matching this request.AlertGraphQL Violations
444GraphQL Query Value Length ExceededGRAPHQL_QUERY_VALUE_LENGTH_EXCEEDEDGraphQL request payload containing a query whose value length exceeded the maximum allowed Query value length configured in GraphQL Profile matching this request.AlertGraphQL Violations
445GraphQL Response Length ExceededGRAPHQL_RESPONSE_LENGTH_EXCEEDEDGraphQL response exceeded the maximum allowed response length configured in GraphQL Profile matching this request.AlertGraphQL Violations
446GraphQL Malformed JSON PayloadGRAPHQL_MALFORMED_JSON_PAYLOADGraphQL Request JSON payload does not conform to the JSON RFC specifications.AlertGraphQL Violations
447GraphQL Malformed GraphQL QueryGRAPHQL_MALFORMED_GRAPHQL_QUERYGraphQL Request payload contains a Malformed GraphQL Query.AlertGraphQL Violations
448GraphQL Invalid Request PayloadGRAPHQL_INVALID_GRAPHQL_REQ_PAYLOADGraphQL Request payload contains a GraphQL query which is invalid as per the GraphQL specifications.AlertGraphQL Violations
449GraphQL Malformed RequestGRAPHQL_MALFORMED_GRAPHQL_REQUESTGraphQL Request Payload does not conform to the GraphQL specifications.AlertGraphQL Violations
450SQL Injection in GraphQL PayloadSQL_INJECTION_IN_GRAPHQLGraphQL Request payload contained a value which matched an SQL injection pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
451Cross-Site Scripting in GraphQL PayloadXSS_INJECTION_IN_GRAPHQLGraphQL Request payload contained a value which matched a XSS injection pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
452OS Command Injection in GraphQL PayloadOS_CMD_INJECTION_IN_GRAPHQLGraphQL Request payload contained a value which matched an OS Command injection pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
453Directory Traversal in GraphQL PayloadDIRECTORY_TRAVERSAL_IN_GRAPHQLGraphQL Request payload contained a value which matched a Directory Traversal pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
454Remote File Inclusion in GraphQL PayloadRFI_VIOLATION_IN_GRAPHQLGraphQL Request payload contained a value which matched a Remote File Inclusion pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
455LDAP Injection in GraphQL PayloadLDAP_INJECTION_IN_GRAPHQLGraphQL Request payload contained a value which matched a LDAP injection attack pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
456Python PHP Attack in GraphQL PayloadPYTHON_PHP_ATTACKS_IN_GRAPHQLGraphQL Request payload contained a value which matched a Python PHP attack pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
457HTTP Specific Attacks in GraphQL PayloadHTTP_SPECIFIC_ATTACKS_IN_GRAPHQLGraphQL Request payload contained a value which matched a HTTP Specific attack pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
458Apache Struts Attacks in GraphQL PayloadAPACHE_STRUTS_ATTACKS_IN_GRAPHQLGraphQL Request payload contained a value which matched a Apache Struts attack pattern defined under Attack Types on Advanced > View Internal patterns.AlertGraphQL Violations
459Custom Attack Pattern in GraphQL PayloadCUSTOM_ATTACK_PATTERN_IN_GRAPHQLGraphQL Request payload contained a value which matched a Custom attack pattern defined under Attack Types on Advanced > Libraries.AlertGraphQL Violations