Virtual Patching¶
A virtual patch allows blocking malicious requests even in monitoring mode or when a request does not seem to contain any known attack vectors.
Virtual patches are especially useful in cases when it is impossible to fix a critical vulnerability in the code or install the necessary security updates quickly.
If attack types are selected, the request will be blocked only if the filter node detects an attack of one of the listed types in the corresponding parameter.
If the setting Any request is selected, the system will block the requests with the defined parameter, even if it does not contain an attack vector.
Example: Blocking SQLi Attack in the Query String Parameter id¶
If the following conditions take place:
-
the application is accessible at the domain example.com
-
the application's parameter id is vulnerable to SQL injection attacks
-
the filter node is set to monitoring mode
-
attempts at vulnerability exploitation must be blocked
Then, to create a virtual patch
- Go to the Rules tab
- Find the branch
example.com/**/*.*and click Add rule -
Choose Create a virtual patch
-
Choose SQLi as the type of attack
- Select the QUERY parameter and enter its value
idafter in this part of request - Click Create
Example: Block All Requests With the Query String Parameter refresh¶
If the following conditions take place:
-
the application is accessible at the domain example.com
-
the application crashes upon processing the query string parameter
refresh -
attempts at vulnerability exploitation must be blocked
Then, to create a virtual patch
- Go to the Rules tab
- Find the branch
example.com/**/*.*and click Add rule - Choose Create a virtual patch
- Choose Any request
- Select the QUERY parameter and enter its value
refreshafter in this part of request - Click Create
