diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html
index 6ad09bb82..de530f555 100644
--- a/content/includes/nap-waf/policy.html
+++ b/content/includes/nap-waf/policy.html
@@ -284,132 +284,139 @@ policy
|
+| login-enforcement |
+Yes |
+object |
+ |
+ |
+
+
| login-pages |
Yes |
array of objects |
A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions. |
|
-
+
| methods |
Yes |
array of objects |
|
|
-
+
name |
No |
string |
The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_). |
|
-
+
| open-api-files |
Yes |
array of objects |
|
|
-
+
| override-rules |
Yes |
array of objects |
This section defines policy override rules. |
|
-
+
| parameters |
Yes |
array of objects |
This section defines parameters that the security policy permits in requests. |
|
-
+
performStaging |
No |
boolean |
Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal. |
|
-
+
| response-pages |
Yes |
array of objects |
The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. You can change the way the system responds to blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. |
|
-
+
| sensitive-parameters |
Yes |
array of objects |
This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of "password" is always defined as sensitive by default. |
|
-
+
| server-technologies |
Yes |
array of objects |
The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. |
|
-
+
| signature-requirements |
Yes |
array of objects |
|
|
-
+
| signature-sets |
Yes |
array of objects |
Defines behavior when signatures found within a signature-set are detected in a request. Settings are culmulative, so if a signature is found in any set with block enabled, that signature will have block enabled. |
|
-
+
| signature-settings |
Yes |
object |
|
|
-
+
| signatures |
Yes |
array of objects |
This section defines the properties of a signature on the policy. |
|
-
+
| template |
Yes |
object |
Specifies the template to populate the default attributes of a new policy. |
|
-
+
| threat-campaigns |
Yes |
array of objects |
This section defines the enforcement state for the threat campaigns in the security policy. |
|
-
+
| urls |
Yes |
array of objects |
In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the Allowed HTTP URLs lists. |
|
-
+
wafEngineVersion |
No |
string |
|
|
-
+
| xml-profiles |
Yes |
array of objects |
@@ -859,6 +866,10 @@ loginA
- alarm: The system will log the login attempt.
- alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
+- alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+- alarm-and-drop: The system will log the login attempt and reset the TCP connection.
+- alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
@@ -904,6 +915,8 @@ logi
- alarm: The system will log the login attempt.
+- alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
|
@@ -3231,6 +3244,86 @@ json-validation-files
|
+login-enforcement
+
+
+
+
+
+
+
+
+
+
+
+
+authenticatedUrls |
+array of strings |
+ |
+ |
+
+
+expirationTimePeriod |
+
+- integer minimum: 0 maximum: 99999
+- string
+ |
+ |
+
+- Integer values
+- "disabled"
+ |
+
+
+| logoutUrls |
+array of objects |
+ |
+ |
+
+
+
+logoutUrls
+
+
+
+
+
+
+
+
+
+
+
+
+requestContains |
+string |
+ |
+ |
+
+
+requestOmits |
+string |
+ |
+ |
+
+
+| url |
+object |
+ |
+ |
+
+
+
login-pages
@@ -6286,6 +6379,8 @@ violations
VIOL_JSON_MALFORMED
VIOL_JSON_SCHEMA
VIOL_LOGIN
+VIOL_LOGIN_URL_BYPASSED
+VIOL_LOGIN_URL_EXPIRED
VIOL_MANDATORY_HEADER
VIOL_MANDATORY_PARAMETER
VIOL_MANDATORY_REQUEST_BODY
diff --git a/data/nap-waf/schema/policy.json b/data/nap-waf/schema/policy.json
index d833d8442..66234108d 100644
--- a/data/nap-waf/schema/policy.json
+++ b/data/nap-waf/schema/policy.json
@@ -399,6 +399,8 @@
"VIOL_JSON_MALFORMED",
"VIOL_JSON_SCHEMA",
"VIOL_LOGIN",
+ "VIOL_LOGIN_URL_BYPASSED",
+ "VIOL_LOGIN_URL_EXPIRED",
"VIOL_MANDATORY_HEADER",
"VIOL_MANDATORY_PARAMETER",
"VIOL_MANDATORY_REQUEST_BODY",
@@ -727,154 +729,6 @@
"description" : "When enabled, enables Brute Force Protection for all configured login URLs.\nWhen disabled, only brute force configurations for specific login pages are applied in case they exist.",
"type" : "boolean"
},
- "captchaBypassCriteria" : {
- "description" : "Specifies configuration for CAPTCHA Bypass Mitigation.",
- "properties" : {
- "action" : {
- "default" : "alarm-and-drop",
- "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.",
- "enum" : [
- "alarm-and-blocking-page",
- "alarm-and-drop",
- "alarm-and-honeypot-page"
- ],
- "type" : "string"
- },
- "enabled" : {
- "default" : true,
- "description" : "When enabled, the system counts successful CAPTCHA challenges with failed logins from IP Address / Device ID.",
- "type" : "boolean"
- },
- "threshold" : {
- "default" : 5,
- "description" : "After configured threshold (number of successful CAPTCHA challenges with failed logins from IP Address / Device ID) defined action will be applied for the next login attempt",
- "maximum" : 100,
- "minimum" : 1,
- "type" : "integer"
- }
- },
- "type" : "object"
- },
- "clientSideIntegrityBypassCriteria" : {
- "description" : "Specifies configuration for Client Side Integrity Bypass Mitigation.",
- "properties" : {
- "action" : {
- "default" : "alarm-and-captcha",
- "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.",
- "enum" : [
- "alarm-and-captcha"
- ],
- "type" : "string"
- },
- "enabled" : {
- "default" : false,
- "description" : "When enabled, the system counts successful challenges with failed logins from IP Address / Device ID / Username.\nLegitimate users who have disabled JavaScripting on their browsers for security reasons will fail a client side integrity challenge.",
- "type" : "boolean"
- },
- "threshold" : {
- "default" : 3,
- "description" : "After configured threshold (number of successful challenges with failed logins from IP Address / Device ID / Username) defined action will be applied for the next login attempt",
- "maximum" : 100,
- "minimum" : 1,
- "type" : "integer"
- }
- },
- "type" : "object"
- },
- "detectionCriteria" : {
- "description" : "Specifies configuration for detecting distributed brute force attacks.",
- "properties" : {
- "action" : {
- "default" : "alarm",
- "description" : "Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-client-side-integrity-captcha**: The system sends a Client Side Integrity challenge upon the first failed login attempt from a source and a CAPTCHA challenge upon second and all subsequent failed login attempts. A login attempt is logged if client successfully passes the challenge. This enforcement action should be chosen if CAPTCHA is considered intrusive. Benign users who mistype their password will likely get only the Client Side Integrity challenge, while an attacker will eventually get the CAPTCHA challenge.",
- "enum" : [
- "alarm",
- "alarm-and-captcha",
- "alarm-and-client-side-integrity",
- "alarm-and-client-side-integrity-captcha"
- ],
- "type" : "string"
- },
- "credentialsStuffingMatchesReached" : {
- "default" : 100,
- "description" : "After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt.",
- "maximum" : 10000,
- "minimum" : 1,
- "type" : "integer"
- },
- "detectCredentialsStuffingAttack" : {
- "default" : true,
- "description" : "When enabled, the system detects login attempts that match known leaked credentials library.",
- "type" : "boolean"
- },
- "detectDistributedBruteForceAttack" : {
- "default" : true,
- "description" : "When enabled, the system detects distributed brute force attacks.",
- "type" : "boolean"
- },
- "failedLoginAttemptsRateReached" : {
- "default" : 100,
- "description" : "After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. ",
- "maximum" : 10000,
- "minimum" : 1,
- "type" : "integer"
- }
- },
- "type" : "object"
- },
- "leakedCredentialsCriteria" : {
- "description" : "Specifies configuration for Leaked Credentials Detection.",
- "properties" : {
- "action" : {
- "default" : "alarm-and-blocking-page",
- "description" : "Specifies action when leaked credentials detected.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.\n- **alarm-and-leaked-credentials-response-page**: The default response page warns the user that the username and password have been leaked and the password should be changed.",
- "enum" : [
- "alarm",
- "alarm-and-blocking-page",
- "alarm-and-honeypot-page",
- "alarm-and-leaked-credentials-response-page"
- ],
- "type" : "string"
- },
- "enabled" : {
- "default" : false,
- "description" : "When enabled, the system can match presented credentials to those in the credentials dictionary to detect leaked credentials.",
- "type" : "boolean"
- }
- },
- "type" : "object"
- },
- "loginAttemptsFromTheSameDeviceId" : {
- "description" : "Specifies configuration for detecting brute force attacks for Device ID.",
- "properties" : {
- "action" : {
- "default" : "alarm",
- "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.",
- "enum" : [
- "alarm",
- "alarm-and-blocking-page",
- "alarm-and-captcha",
- "alarm-and-client-side-integrity",
- "alarm-and-drop",
- "alarm-and-honeypot-page"
- ],
- "type" : "string"
- },
- "enabled" : {
- "default" : false,
- "description" : "When enabled, the system counts failed login attempts for Device ID.",
- "type" : "boolean"
- },
- "threshold" : {
- "default" : 3,
- "description" : "After configured threshold (number of failed login attempts for Device ID) defined action will be applied for the next login attempt.",
- "maximum" : 100,
- "minimum" : 1,
- "type" : "integer"
- }
- },
- "type" : "object"
- },
"loginAttemptsFromTheSameIp" : {
"description" : "Specifies configuration for detecting brute force attacks from IP Address.",
"properties" : {
@@ -883,11 +737,7 @@
"description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.",
"enum" : [
"alarm",
- "alarm-and-blocking-page",
- "alarm-and-captcha",
- "alarm-and-client-side-integrity",
- "alarm-and-drop",
- "alarm-and-honeypot-page"
+ "alarm-and-blocking-page"
],
"type" : "string"
},
@@ -913,9 +763,7 @@
"default" : "alarm",
"description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.",
"enum" : [
- "alarm",
- "alarm-and-captcha",
- "alarm-and-client-side-integrity"
+ "alarm"
],
"type" : "string"
},
@@ -934,34 +782,6 @@
},
"type" : "object"
},
- "measurementPeriod" : {
- "default" : 900,
- "description" : "Defines detection period (measured in seconds) for distributed brute force attacks.",
- "maximum" : 90000,
- "minimum" : 60,
- "type" : "integer"
- },
- "preventionDuration" : {
- "default" : "3600",
- "description" : "Defines prevention period (measured in seconds) for distributed brute force attacks.",
- "oneOf" : [
- {
- "maximum" : 90000,
- "minimum" : 60,
- "type" : "integer"
- },
- {
- "enum" : [
- "unlimited"
- ],
- "type" : "string"
- },
- {
- "pattern" : "\\d+$",
- "type" : "string"
- }
- ]
- },
"reEnableLoginAfter" : {
"default" : 3600,
"description" : "Defines prevention period (measured in seconds) for source-based brute force attacks.",
@@ -2897,6 +2717,66 @@
}
]
},
+ "login-enforcement" : {
+ "oneOf" : [
+ {
+ "properties" : {
+ "authenticatedUrls" : {
+ "default" : [],
+ "items" : {
+ "type" : "string"
+ },
+ "type" : "array"
+ },
+ "expirationTimePeriod" : {
+ "default" : "disabled",
+ "oneOf" : [
+ {
+ "maximum" : 99999,
+ "minimum" : 0,
+ "type" : "integer"
+ },
+ {
+ "enum" : [
+ "disabled"
+ ],
+ "type" : "string"
+ },
+ {
+ "pattern" : "\\d+$",
+ "type" : "string"
+ }
+ ]
+ },
+ "logoutUrls" : {
+ "items" : {
+ "properties" : {
+ "requestContains" : {
+ "type" : "string"
+ },
+ "requestOmits" : {
+ "type" : "string"
+ },
+ "url" : {
+ "$ref" : "#/properties/policy/properties/urls/oneOf/0/items",
+ "type" : "object"
+ }
+ },
+ "required" : [
+ "url"
+ ],
+ "type" : "object"
+ },
+ "type" : "array"
+ }
+ },
+ "type" : "object"
+ },
+ {
+ "$ref" : "#/definitions/reference"
+ }
+ ]
+ },
"login-pages" : {
"oneOf" : [
{