Managing request parsers¶
The rule Disable/Enable request parser allows managing the set of parsers applied to the request during its analysis.
By default, when analyzing the request the Wallarm node attempts to sequentially apply each of the suitable parsers to each element of the request. However, certain parsers can be applied mistakenly and as a result, the Wallarm node may detect attack signs in the decoded value.
For example: the Wallarm node may mistakenly identify unencoded data as encoded into Base64, since the Base64 alphabet symbols are often used in the regular text, token values, UUID values and other data formats. If decoding the unencoded data and detecting attack signs in the resulting value, the false positive occurs.
To prevent false positives in such cases, you can disable the parsers mistakenly applied to certain request elements by using the rule Disable/Enable request parser.
Creating and applying the rule¶
To create and apply the rule:
Create the rule Disable/Enable request parser in the Profile & Rules section of Wallarm Console. The rule consists of the following components:
- Condition describes the endpoints to apply the rule to.
- Parsers to be disabled / enabled for the specified request element.
- Part of request points to the original request element to be parsed / not parsed with the selected parsers.
Wait for the rule compilation to complete.
Let's say the requests to
https://example.com/users/ require the authentication header
X-AUTHTOKEN. The header value may contain specific symbol combinations (e.g.
= in the end) to be potentially decoded by Wallarm with the parser
The rule Disable/Enable request parser preventing false positives in the
X-AUTHTOKEN values can be configured as follows: