iWAF Exceptions with Regex Matching for Arguments

Overview

This article discusses configuring iWAF exceptions with regex matching for arguments. Avi Vantage supports Regex for URL matching. Avi iWAF uses PCRE (Perl Compatible Regular Expressions) as regex. Starting with release 18.2.2, Avi Vantage supports configuring regular expressions for arguments. The match_element field under WAF Policy can be configured to use a regular expression instead of just a keyword.

Configuring Regex Matching for Arguments

CLI

1. Login to the Controller shell and enter the command to edit the required WAF policy.

    
       configure wafpolicy policy_name
       edit
    

2. Search for match_element_criteria by typing slash (‘/’), followed by the keyword match_element_criteria.

3. Configure the desired regex in the match_element field as shown below. Under match_element, set the match_case field to SENSITIVE and the match_op field to REGEX_MATCH.

    
           exclude_list:
           - match_element: ARGS:regex
             match_element_criteria:
               match_case: SENSITIVE
               match_op: REGEX_MATCH
             uri_match_criteria:
               match_case: SENSITIVE
               match_op: REGEX_MATCH
             uri_path: ^/test.php
    

4. Hit Esc and enter :wq. Type save to save the configuration.

    
    save
     

Configuration Example

The argument name can have several fixed and dynamic parts. Consider an example of an URL as follows:

https://appname.com/typo/test_doc.php?data[news][1234][body]=Some_long_text_expected

Here, "data[news][" and "][body]" are the fixed parts and the number [1234] is a dynamic value that varies with each request. An example attack on this application will be as follows:

https://appname.com/typo/test_doc.php?data[news][1234][body]=%3Cscript%3Ealert(1)%3C/script%3E

The regex required for creating an exception for this example would be:

 
URL Regex:              ^/typo/test_doc.php
Match element Regex:    ARGS:.data\[news\]\[.*\]\[body\]

Use ARGS:.data instead of ARGS:data to make this a valid regular expression.

The WAF Policy configuration would be as follows:

 
 exclude_list:
 - match_element: ARGS:data\[news\]\[.*\]\[body\]
   match_element_criteria:
     match_case: SENSITIVE
     match_op: REGEX_MATCH
   uri_match_criteria:
     match_case: SENSITIVE
     match_op: REGEX_MATCH
   uri_path: ^/typo/test_doc.php

UI

On Avi UI, navigate to Templates > WAF > WAF Policy. Click on the policy to be edited or create a new policy as required.

Under the Rules tab, navigate to the relevant rule under the rule sets. Click on the dropdown for a rule to expand the configuration options. Click on + Add Exception to configure the exception.

Under the EXCEPTIONS field enter the regular expression and click on the checkbox for Regex Match.

Save the configuration.