This article describes how to write an Application Firewall policy and associated profile to protect a shopping cart application.
Summary
Shopping cart applications handle sensitive private customer information, such as credit card numbers, and access back-end database servers, so they often need a special Application Firewall configuration to protect them. This article describes how to create a profile to protect this type of application, and a policy to detect connections to the shopping cart.
Configuring the Application Firewall Profile
The examples below shows the commands to add an Application Firewall profile at the CLI that provides protection for a shopping cart application:
First, you add the profile:
> add appfw profile shopping_cart -defaults advanced
Next, you configure the Start URL check:
> set appfw profile shopping_cart -startURLAction LEARN LOG STATS -startURLClosure ON
The Start URL check verifies that users are accessing an appropriate URL on your site rather than trying out random URLs (also called _forceful browsing). Hackers and malicious code often breach security on web sites by accessing URLs to which they should not have access, or by forceful browsing.
For a newly-created profile, you will usually want to leave blocking off for this and most other checks so that user connections are not blocked by mistake while the Application Firewall learns the necessary configuration relaxations (exceptions) for your site. So you should omit the BLOCK flag from your configuration. You enable learning mode with the LEARN flag, enable logging with the LOG flag, and tell the Application Firewall to maintain statistics for this check with the STATS flag.
For the Start URL rule, you also should enable URL closure to simplify your configuration. If URL closure is enabled, the Application Firewall allows users to connect to any URL that they reach by clicking a link on another web page on your web site.
Next, you configure the Cookie Consistency check:
> set appfw profile shopping_cart -cookieConsistencyAction LEARN LOG STATS
The Cookie Consistency check verifies that cookies a user's browser returns to your web server were originally set by your server, and have not been modified by the client. Hackers can breach site security using unauthorized cookie modifications.
Next, you configure the Form Field Consistency check:
> set appfw profile shopping_cart -fieldConsistencyAction LEARN LOG STATS
The Form Field Consistency check ensures that the information a user returns using a web form on your web site is of a type that is appropriate for that web form. Hackers and malicious code will attempt to breach site security by including wildly inappropriate types or quantities of data in a web form.
Next, you configure the SQL Injection check:
> set appfw profile shopping_cart -SQLInjectionAction LEARN LOG STATS -SQLInjectionTransformSpecialChars ON
The SQL Injection check specifically checks for unauthorized SQL commands injected into your web server using a web form, and blocks those checks. You should always enable this rule for any web server that has access to a back-end SQL database server.
For this rule, you also want to turn on the Transform SQL Special Characters feature. This feature detects any special characters that activate SQL commands on an SQL server, and replaces them with harmless equivalents. If you turn this feature on, you can safely leave blocking disabled for this filter and still protect your database server.
Finally, you configure protection for credit card numbers for those credit cards that your shopping cart application accepts:
> set appfw profile shopping_cart -creditCardAction LOG STATS -creditCardXOut ON -creditCard VISA MasterCard Amex
The Credit Card check examines responses from your web server to users to ensure that they do not contain unmasked credit card numbers. The command as shown above assumes that you accept Visa, MasterCard, and American Express. You can also enable protection for Discover, Diner's Club, and JBC credit cards.
The Credit Card check does not support learning, so the command does not contain the LEARN flag. The command enables masking of credit card numbers with the -creditCardXOut ON option. This option tells the Application Firewall to mask out any credit card numbers it finds using the letter x.
Configuring the Application Firewall Policy
The example below shows the command to add an Application Firewall policy at the CLI that detects all connections to the sample host shopping.example.com:
> add appfw policy shopping_cart "REQ.HTTP.HEADER URL CONTAINS shopping.example.com" shopping_cart
The example below shows the command to add an Application Firewall policy at the CLI that detects all connections to any page within the URI path www.example.com/shopping/cart/:
> add appfw policy shopping_cart "REQ.HTTP.HEADER URL CONTAINS 'www.example.com/shopping/cart'" shopping_cart
To use either example, copy and paste it, replacing the sample host or URI path with the appropriate information for your web servers.
More Information
