Contents
The Threatening Content filter can run a series of regular expressions that identify different attack signatures against request messages to check if they contain threatening content. Each expression identifies a particular attack signature, which can run against different parts of the request, including the request body, HTTP headers, and the request query string. In addition, you can configure the MIME types on which the Threatening Content filter operates.
The threatening content regular expressions are stored in the global Black list library, which is displayed under the Libraries node in the Policy Studio tree. By default, this library contains regular expressions to identify SQL syntax to guard against SQL injection attacks, DOCTYPE DTD references to avoid against DTD expansion attacks, Java exception stack trace information to prevent call stack information getting returned to the client, and expressions to identify other types of attack signature.
The Threatening Content filter is available from the Content Filtering category of filters. Drag and drop this filter on to the policy editor, and enter a name for the filter in the Name field. The next sections describe how to configure the other tabs on this filter screen.
To configure the scanning details, complete the following sections:
Additional message parts to scan:
This section configures what parts of the incoming request are scanned for threatening content. By default, the Threatening Content filter acts on the request body. However, it can also scan the HTTP headers and the request query string for threatening content. Select the appropriate checkboxes to indicate what additional parts of the request message you want to scan.
Blacklist:
The table lists all the regular expressions that have been added to the global Black list. These regular expressions are used to identify threatening content. For example, there are regular expressions to match SQL syntax, ASCII control characters, and XML processing instructions, all of which can be used to attack a Web Service. For more information on how to configure these global regular expressions, see the section called “Black list and White list”.
Select the regular expressions that you want to run against incoming requests using the checkboxes in the table. You can add new expressions using the Add button. When adding new regular expressions on the Add Regular Expression dialog, the expressions are added to the global Black list library.
You can edit or remove existing regular expressions by selecting the expression in the tree, and selecting the Edit or Delete button.
The MIME Types tab lists the MIME types to be scanned for incoming messages. By default, all text- and XML-related types are scanned for threatening content. However, you can select any type from the list.
Similar to the way in which the Black list regular expressions are global, so too are the MIME types. You can add these globally by selecting the Settings node in the Policy Studio tree, and clicking the MIME/DIME tab at the bottom.
You can add new types by selecting the Add button and entering a type name and corresponding extension on the Configure MIME/DIME Type dialog. You can enter a list of extensions by separating them with spaces. You can edit or delete existing types by selecting the Edit and Delete buttons.
