Skip to content

Virtual Patching

A virtual patch allows blocking malicious requests even in the monitoring and safe blocking modes or when a request does not seem to contain any known attack vectors. The only requests virtual patches do not block are the ones originating from the whitelisted IPs.

Virtual patches are especially useful in cases when it is impossible to fix a critical vulnerability in the code or install the necessary security updates quickly.

If attack types are selected, the request will be blocked only if the filter node detects an attack of one of the listed types in the corresponding parameter.

If the setting Any request is selected, the system will block the requests with the defined parameter, even if it does not contain an attack vector.

Creating and applying the rule

You can create and apply the rule both in the Events and Rules section of Wallarm Console.

  • In the Events section, rules are created with a pre-filled description of endpoints to apply the rule to. The endpoint description corresponds to the request you clicked the Rule button for.

    To complete the rule setup, just select the rule action type and make sure all rule components are configured correctly.

  • In the Rules section, all rule components must be filled in manually.

Example: Blocking SQLi Attack in the Query String Parameter id

If the following conditions take place:

  • the application is accessible at the domain example.com

  • the application's parameter id is vulnerable to SQL injection attacks

  • the filter node is set to monitoring mode

  • attempts at vulnerability exploitation must be blocked

Then, to create a virtual patch

  1. Go to the Rules tab
  2. Find the branch example.com/**/*.* and click Add rule
  3. Choose Create a virtual patch

  4. Choose SQLi as the type of attack

  5. Select the QUERY parameter and enter its value id after in this part of request
  6. Click Create

Virtual patch for a certain request type

Example: Block All Requests With the Query String Parameter refresh

If the following conditions take place:

  • the application is accessible at the domain example.com

  • the application crashes upon processing the query string parameter refresh

  • attempts at vulnerability exploitation must be blocked

Then, to create a virtual patch

  1. Go to the Rules tab
  2. Find the branch example.com/**/*.* and click Add rule
  3. Choose Create a virtual patch
  4. Choose Any request
  5. Select the QUERY parameter and enter its value refresh after in this part of request
  6. Click Create

Virtual patch for any request type