If a traditional application sends an “application/x-www-form-urlencoded” post request with the following URL query parameters:
The same application in JSON could form the “application/json” post request with JSON objects in the request body as shown below:
The JSON key, value pairs in the request body require the same level of input validation as the URL query parameters.
When a service is created, a default JSON profile is automatically created by the system for that service on the WEBSITES > JSON Security page. By default, this JSON profile applies to the whole URL space of the service, however you can create multiple JSON profiles for different URL spaces within the service.
If a request contains Content-Type as “application/json”, the Barracuda Web Application Firewall validates the request against the JSON profile(s) associated with the service and enforces the configured policy. The Barracuda Web Application Firewall enforces a JSON policy based on the following settings:
The URL compared to the URL in the request. The URL should start with a "/" and can have at most one " * " anywhere in the URL. For example, /netbanking.html; any request matching this URL is required to authenticate before accessing this page. A value of “/*” means that the access control rule (ACL) applies for all URLs in that domain.
The host name compared to host in the request. This can be either a specific host match or a wildcard host match with a single * anywhere in the host name. For example, *.example.com, any request matching this host is required to authenticate before accessing this page.
The service Mode takes precedence over the JSON profile mode. When Mode is set to Active, any request that violates JSON profile settings is blocked if the Mode of the service on the BASIC > Services page is also set to Active. If the Mode of the service is Passive and the request violates JSON profile settings, the request is allowed to pass through, but logs request errors on the BASIC > Web Firewall Logs page.
The service Mode takes precedence over the JSON profile mode i.e., if the JSON profile mode is Active and the service mode is Passive, all requests are allowed to pass through, but logs request errors on the BASIC > Web Firewall Logs page. If the mode is Active in the JSON profile and service, any request that violates JSON profile settings is blocked.
When Mode is set to Active, any request that violates JSON profile settings is blocked if the Mode of the service on the BASIC > Services page is also set to Active. If the Mode of the service is Passive and the request violates JSON profile settings, the request is allowed to pass through, but logs request errors on the BASIC > Web Firewall Logs page.
Set this to Yes to enforce validation on keys in the JSON request.
Select the policy to validate the requests matching this JSON profile. You can create a new policy and associate with the JSON profile or fine-tune the default policy by clicking Edit next to it under JSON Policies on the WEBSITES > JSON Security page. See Configuring a JSON Policy.
Add the keys that needs to be exempted from JSON security checks. This is an exact match; wildcard is not supported, that is, a value with "*" does not work like a wildcard.
Enter the methods to be matched in the request for JSON data inspection. The methods that are allowed to be configured are: GET,POST,PUT,HEAD,OPTIONS,DELETE,TRACE,ALL. Note: If set to "ALL", JSON data inspection will be done on all requests with "application/json" as content type.
Blocked Attack Types/Custom Blocked Attack Types
Attack Types are malicious patterns that can be checked for in a JSON request. Select attack types that needs to be matched in the JSON request.
Specify patterns that needs to be exempted from JSON security checks.
Steps to Configure JSON Security
To add a JSON security policy, perform the following steps:
- Go to the WEBSITES > JSON Security page, JSON Security section.
- Identify the service to which you want to add a JSON security policy, and click Add JSON Profile next to it.
- In the Add JSON Policy page, enter a name for the JSON profile, set the Status to On, specify values for other parameters as required and click Save.