Skip to content

Virtual Patching

A virtual patch allows blocking malicious requests even in the monitoring and safe blocking modes or when a request does not seem to contain any known attack vectors. The only requests virtual patches do not block are the ones originating from the allowlisted IPs.

Virtual patches are especially useful in cases when it is impossible to fix a critical vulnerability in the code or install the necessary security updates quickly.

If attack types are selected, the request will be blocked only if the filter node detects an attack of one of the listed types in the corresponding parameter.

If the setting Any request is selected, the system will block the requests with the defined parameter, even if it does not contain an attack vector.

Creating and applying the rule

You can create and apply the rule both in the Events and Rules section of Wallarm Console.

  • In the Events section, rules are created with a pre-filled description of endpoints to apply the rule to. The endpoint description corresponds to the request you clicked the Rule button for.

    To complete the rule setup, just select the rule action type and make sure all rule components are configured correctly.

  • In the Rules section, all rule components must be filled in manually.

Example: Blocking SQLi Attack in the Query String Parameter id

If the following conditions take place:

  • the application is accessible at the domain example.com

  • the application's parameter id is vulnerable to SQL injection attacks

  • the filter node is set to monitoring mode

  • attempts at vulnerability exploitation must be blocked

Then, to create a virtual patch

  1. Go to the Rules tab
  2. Find the branch example.com/**/*.* and click Add rule

  3. Choose Create a virtual patch

  4. Choose SQLi as the type of attack

  5. Select the QUERY parameter and enter its value id after in this part of request

    Options sequentally (if several) selected in in this part of request should reflect a sequence of parsers Wallarm would apply to read the required request element.

  6. Click Create

Virtual patch for a certain request type

Example: Block All Requests With the Query String Parameter refresh

If the following conditions take place:

  • the application is accessible at the domain example.com

  • the application crashes upon processing the query string parameter refresh

  • attempts at vulnerability exploitation must be blocked

Then, to create a virtual patch

  1. Go to the Rules tab
  2. Find the branch example.com/**/*.* and click Add rule
  3. Choose Create a virtual patch
  4. Choose Any request

  5. Select the QUERY parameter and enter its value refresh after in this part of request

    Options sequentally (if several) selected in in this part of request should reflect a sequence of parsers Wallarm would apply to read the required request element.

  6. Click Create

Virtual patch for any request type

API calls to create the rule

To create the virtual patch rule, you can call the Wallarm API directly besides using the Wallarm Console UI. Below are some examples of the corresponding API calls.

Create the virtual patch to block all requests sent to /my/api/*

curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"clientid\": YOUR_CLIENT_ID, \"type\": \"vpatch\", \"action\": [ {\"type\":\"equal\",\"value\":\"my\",\"point\":[\"path\",0]}, {\"type\":\"equal\",\"value\":\"api\",\"point\":[\"path\",1]}], \"validated\": false, \"point\": [ [ \"header\", \"HOST\" ] ], \"attack_type\": \"any\"}"

curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"clientid\": YOUR_CLIENT_ID, \"type\": \"vpatch\", \"action\": [ {\"type\":\"equal\",\"value\":\"my\",\"point\":[\"path\",0]}, {\"type\":\"equal\",\"value\":\"api\",\"point\":[\"path\",1]}], \"validated\": false, \"point\": [ [ \"header\", \"HOST\" ] ], \"attack_type\": \"any\"}"

Create the virtual patch for a specific application instance ID to block all requests sent to /my/api/*

An application should be configured before sending this request. Specify an ID of an existing application in action.point[instance].value.

curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"vpatch\",\"action\":[{\"point\":[\"instance\"],\"type\":\"equal\",\"value\":\"-1\"},{\"point\":[\"path\",0],\"type\":\"equal\",\"value\":\"my\"},{\"point\":[\"path\",1],\"type\":\"equal\",\"value\":\"api\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"point\":[[\"header\",\"HOST\"]],\"attack_type\":\"any\"}"

curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"vpatch\",\"action\":[{\"point\":[\"instance\"],\"type\":\"equal\",\"value\":\"-1\"},{\"point\":[\"path\",0],\"type\":\"equal\",\"value\":\"my\"},{\"point\":[\"path\",1],\"type\":\"equal\",\"value\":\"api\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"point\":[[\"header\",\"HOST\"]],\"attack_type\":\"any\"}"