iWAF Exceptions with Regex Matching for Arguments
Overview
This article discusses configuring iWAF exceptions with regex matching for arguments. Avi Vantage supports Regex for URL matching.
Avi iWAF uses PCRE (Perl Compatible Regular Expressions) as regex.
Starting with release 18.2.2, Avi Vantage supports configuring regular expressions for arguments. The match_element
field under WAF Policy can be configured to use a regular expression instead of just a keyword.
Configuring Regex Matching for Arguments
CLI
-
Login to the Controller shell and enter the command to edit the required WAF policy.
configure wafpolicy policy_name edit
-
Search for
match_element_criteria
by typing slash (‘/’), followed by the keyword match_element_criteria. -
Configure the desired regex in the
match_element
field as shown below. Under match_element, set thematch_case
field to SENSITIVE and thematch_op
field to REGEX_MATCH.exclude_list: - match_element: ARGS:regex match_element_criteria: match_case: SENSITIVE match_op: REGEX_MATCH uri_match_criteria: match_case: SENSITIVE match_op: REGEX_MATCH uri_path: ^/test.php
-
Hit
Esc
and enter :wq. Typesave
to save the configuration.save
Configuration Example
The argument name can have several fixed and dynamic parts. Consider an example of an URL as follows:
https://appname.com/typo/test_doc.php?data[news][1234][body]=Some_long_text_expected
Here, "data[news]["
and "][body]"
are the fixed parts and the number [1234]
is a dynamic value that varies with each request. An example attack on this application will be as follows:
https://appname.com/typo/test_doc.php?data[news][1234][body]=%3Cscript%3Ealert(1)%3C/script%3E
The regex required for creating an exception for this example would be:
URL Regex: ^/typo/test_doc.php
Match element Regex: ARGS:data\[news\]\[.*\]\[body\]
The WAF Policy configuration would be as follows:
exclude_list:
- match_element: ARGS:data\[news\]\[.*\]\[body\]
match_element_criteria:
match_case: SENSITIVE
match_op: REGEX_MATCH
uri_match_criteria:
match_case: SENSITIVE
match_op: REGEX_MATCH
uri_path: ^/typo/test_doc.php
UI
On Avi UI, navigate to Templates > WAF > WAF Policy. Click on the policy to be edited or create a new policy as required.
Under the Rules tab, navigate to the relevant rule under the rule sets. Click on the dropdown for a rule to expand the configuration options. Click on + Add Exception to configure the exception.
Under the EXCEPTIONS field enter the regular expression and click on the checkbox for Regex Match.
Save the configuration.