How to set a security exception?

Created at:
Avatar
Updated

Incapsula offers several ways to add an exception to the WAF and security settings you have configured. In order to configure the suitable exception, it is highly recommended to understand under which context the exception should be added

 

  1. Log in to your my.incapsula.com account.

  2. On the sidebar, click Websites (default).

  3. Click a site name to access the site's dashboard.

  4. On the sidebar, click Settings.

 1. WAF:  

The various WAF exceptions can be found under the site's WAF tab, and include exceptions for Backdoor Protect, Remote File Inclusion, SQL Injection, Cross Site Scripting, Illegal Resource Access and DDoS:

Note, the exceptions will affect only to the section under it and won't affect other sections. For example, the exception under SQL Injection relates only to the values which were added under it and won't bypass other threats (such as Illegal Resource Access) which match that exception. 

Exceptions in WAF won't affect security settings which have configured in the Security Access List.

  • Backdoor Protect: Backdoors are widely used by hackers for malicious purposes, such as sending spam and participating in DDoS attacks on other websites. Backdoor protect allows you to detect and quarantine Backdoors. In cases where an exception is required, it can be deployed based on: URL, Client app ID, IP, Country, User-Agent, HTTP Parameter.
  • Remote File Inclusion: Remote File Inclusion (RFI) is an attack that targets the computer servers that run Web sites and their applications. RFI exploits are most often attributed to the PHP programming language used by many large firms including Facebook and SugarCRM. However, RFI can manifest itself in other environments and works by exploiting applications that dynamically reference external scripts indicated by user input without proper sanitation. As a consequence, the application can be instructed to include a script hosted on a remote server and thus execute code controlled by an attacker. The executed scripts can be used for temporary data theft or manipulation, or for a long-term takeover of the vulnerable server. In cases where an exception is required, it can be deployed based on URL, Client app ID, IP, Country, User-Agent, HTTP Parameter.

  • SQL Injection: SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can, therefore, embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. In cases where an exception is required, it can be deployed based on URL, Client app ID, IP, Country, HTTP Parameter.

  • Cross Site Scripting: Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum. That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker. In cases where an exception is required, it can be deployed based on: URL, Client app ID, IP, Country, HTTP Parameter.
  •  Illegal Resource Access: Detect attempts to access Vulnerable or Administrative pages, or view or execute System Files. This is commonly done using URL guessing, Directory Traversal, or Command Injection techniques. In cases where an exception is required, it can be deployed based on URL, Client app ID, IP, Country, HTTP Parameter.

  • DDoS: A distributed Denial of Service (DDoS) attack is a simple variation of a Denial of Service attack in which the attacker initiates the assault from multiple machines to mount a more powerful, coordinated attack. In cases where an exception is required, it can be deployed based on URL, Client app ID, IP, Country.

    Define threat responses

    For each type of threat, you can define how the Incapsula WAF responds. By default, the WAF rules are set to the Block Request option. The only exception is the Cross Site Scripting rule, which is set to Alert Only.

    Option

    Description

    Alert Only

    A notification is sent to the Incapsula administrator/user (according to the Notification settings) and an alert appears in the Events page. The malicious traffic is not blocked.

    Block Request (Default)

    Malicious requests are blocked. In addition, an alert and an event are generated.

    Block User

    Any user that has attacked your website will be blocked from sending subsequent requests for 10 minutes. In addition, an alert and an event are generated.

    Block IP

    Any IP that has attacked your website will be blocked from sending subsequent requests for 10 minutes. In addition, an alert and an event are generated.

    Ignore

    The event is not listed in the Events page and no action (such as blocking) is taken.

For more information: Web Protection - WAF Settings

 

2. Security Access List:  

The various access list exceptions can be found under the site's Security tab, and include exceptions for Bot Access Control, Block Countries, Block URLs, Block IPs, and a general IP based whitelist:

Note, the exceptions will affect only to the section under it and won't affect other sections. For example, the exception under Block URL relates only to the values which were added under the Block URLs and won't bypass values which were added on other sections such Block IP/Countries, Bot access Control.

Exceptions in the Security tab will still be monitored by the WAF and will be blocked if necessary. 

  • Bot Access Control: This list allows the user to restrict clients (search bot, crawler, etc.) from visiting the site. Some bot traffic is blocked by default by Incapsula, and the user also has the ability to add clients to that. In cases where an exception is required, it can be deployed based on IP, URL, Client app ID, Country, User-Agent. 
  • Block Countries: This list allows the user to restrict traffic based on geo-location of the visitor. In cases where an exception is required, it can be deployed based on: URL, IP, Country, Client app ID.
  • Block URLs: This list allows the user to restrict traffic to specific resources. In cases where an exception is required, it can be deployed based on: URL, IP, Country, Client app ID.
  • Block IPs: This list allow the user to This list allows the user to restrict traffic to specific resources. In cases where an exception is required, it can be deployed based on: URL, IP, Country, Client app ID. 

Whitelist Specific IP Sources - located under the Security tab:

In most cases, it would be best to whitelist under the specific context in which the block is made. However, there are cases where you wish that traffic from a specific source bypass the Incapsula's WAF and security settings entirely. In such cases, where the IPs are trusted and considered to be safe, add them to this list.

 

For more information:Web Protection - Security Settings

 

 

3. Exception fields and accepted values:

  1. Click the Add whitelist option under the relevant type of WAF protection. For example under the Remote File Inclusion option. The following displays:

  2. In the Add whitelist rule on the field, select the type of item to be added to the whitelist, such as URL, Client app ID, IP, Country, User Agent or HTTP parameter.

  3. In the field to the right, fill in the value to be whitelisted.

  4. Click the Add button.

  5. Multiple rules can be added to this window by following the steps above.

  6. Click the Confirm button.

 

These fields vary on each section but the accepted values remain the same. Also, note that an exception may include 1 or more of the following fields:

 

  • IP - Single IP (1.2.3.4), Range  (1.2.3.4 - 1.3.3.4), Subnet (1.2.3.4/16).

  • URL - exact URL (/admin); URL which contains all sub-folders (/example/*). Note that it is recommended to separate between wildcard exceptions and exceptions for exact paths. 

  • Client app ID - Each of the known client app IDs by Incapsula (Such as Qualys Scanner).

  • Country - Specific country or continent. 

  • User-Agent - Each of the known user agents,

    such

    Chrome, FireFox, etc. Wildcard (*) can NOT be set here.

  • HTTP Parameter - Specific HTTP parameter (not a value). Wildcard (*) can NOT be set here.

 

Tip: Alternatively, you can add an item to the WAF whitelist directly from the Events page if you have identified a false positive event.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk