Skip to content

Managing request parsers

The rule Disable/Enable request parser allows managing the set of parsers applied to the request during its analysis.

By default, when analyzing the request the Wallarm node attempts to sequentially apply each of the suitable parsers to each element of the request. However, certain parsers can be applied mistakenly and as a result, the Wallarm node may detect attack signs in the decoded value.

For example: the Wallarm node may mistakenly identify unencoded data as encoded into Base64, since the Base64 alphabet symbols are often used in the regular text, token values, UUID values and other data formats. If decoding the unencoded data and detecting attack signs in the resulting value, the false positive occurs.

To prevent false positives in such cases, you can disable the parsers mistakenly applied to certain request elements by using the rule Disable/Enable request parser.

Creating and applying the rule

You can create and apply the rule both in the Attacks and Rules sections of Wallarm Console.

  • In the Attacks section, rules are created with a pre-filled description of endpoints to apply the rule to. The endpoint description corresponds to the request you clicked the Rule button for.

    To complete the rule setup, just select the rule action type and make sure all rule components are configured correctly.

  • In the Rules section, all rule components must be filled in manually.

To create and apply the rule in the Rules section:

  1. Create the rule Disable/Enable request parser in the Rules section of Wallarm Console. The rule consists of the following components:

    • Condition describes the endpoints to apply the rule to.
    • Parsers to be disabled / enabled for the specified request element.

    • Part of request points to the original request element to be parsed / not parsed with the selected parsers.

      Note that options you add to In this part of request should go in a particular order to reflect in which order Wallarm will apply parsers to read the required request element.

  2. Wait for the rule compilation to complete.

Rule example

Let's say the requests to https://example.com/users/ require the authentication header X-AUTHTOKEN. The header value may contain specific symbol combinations (e.g. = in the end) to be potentially decoded by Wallarm with the parser base64.

The rule Disable/Enable request parser preventing false positives in the X-AUTHTOKEN values can be configured as follows:

Example of the rule "Disable/Enable request parser"