Virtual Patching¶

In cases when it is impossible to fix a critical vulnerability in the code of your application or install the necessary updates quickly, you can create a virtual patch to block all or specific requests to the endpoints that may allow exploiting these vulnerabilities. Virtual patch will block requests even in the monitoring and safe blocking modes, except the ones originating from the allowlisted IPs.

Wallarm provides the following rules to create virtual patch:

• Create a virtual patch rule - allows creating virtual patch that blocks requests containing in its selected part one of the known attack signs, such as SQLi, SSTi, RCE etc. Also, you can select Any request to block specific requests without any attack signs.

• Create regexp-based attack indicator rule with Virtual patch option selected - allows creating virtual patch that blocks requests containing your own attack signs or your own reason for blocking (see example) that are described with the regular expressions. Details on working with rule based on regular expression are described here.

Creating and applying the rule¶

You can create and apply the rule both in the Attacks and Rules sections of Wallarm Console.

• In the Attacks section, rules are created with a pre-filled description of endpoints to apply the rule to. The endpoint description corresponds to the request you clicked the Rule button for.

  To complete the rule setup, just select the rule action type and make sure all rule components are configured correctly.

• In the Rules section, all rule components must be filled in manually.

Rule examples¶

Blocking specific requests for selected endpoint¶

Let us say your application online purchase section accessible at the example.com/purchase endpoint crashes upon processing the refresh query string parameter. Before the bug is fixed, you need to block requests leading to the crush.

To do so, set the Create a virtual patch rule as displayed on the screenshot:

Blocking exploitation attempts for discovered but not yet fixed vulnerability¶

Let us say your application accessible at the example.com domain has discovered but not yet fixed vulnerability: the application's id parameter is vulnerable to SQL injection attacks. Meanwhile, Wallarm filtering node is set to monitoring mode and yet you need to immediately block the vulnerability exploitation attempts.

To do so, set the Create a virtual patch rule as displayed on the screenshot:

Blocking all requests with incorrect X-AUTHENTICATION header¶

Let us say your application accessible at the example.com domain uses the X-AUTHENTICATION header in 32 hex symbols format for user authentication and you want to reject incorrect format tokens.

To do so, set the Create regexp-based attack indicator rule and set it to Virtual patch as displayed on the screenshot, including:

• Regular expression: ^(.{0,31}|.{33,}|[^0-9a-fA-F]+)$

• Request part: header - X-AUTHENTICATION

API calls for virtual patches¶

To create virtual patches, you can call the Wallarm API directly. Consider the examples:

• Create the virtual patch to block all requests sent to /my/api/*

• Create the virtual patch for a specific application instance ID to block all requests sent to /my/api/*

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send