Website Profiles

The learned structure of an application is called a profile of the website. Website profiles are made up of profiles for URLs and profiles for parameters of those URLs. A URL profile lists allowed fields like HTTP methods, names and types of each parameter, query strings, length based restrictions, etc. A Parameter profile defines the allowed format for each parameter using either a negative or positive security model and includes length restrictions.

Website Profiles allow you to create specific rules to fine tune the security settings of a Service. They do not modify the default security policy settings, but fine tune security settings specific to a Service. For more information, see Configuring Website Profiles.

The following diagram shows the location of enforcement of Website Profiles in the Request/Response evaluation flow:

For more information on the complete evaluation flow for requests and responses, refer to Evaluation Policy and Flow.

To Update a Website Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}
Method: PUT
Description: Updates the values of given parameters in the given website profile.
Input Parameters:
use_profile	String	Optional	Specifies whether or not to validate the incoming requests against the URL profiles and parameter profiles. The values include: yes no
strict_profile_check	String	Optional	Specifies whether or not to enforce strict profile checks for the requests coming for the specified service. The values include: yes no
mode	Enumeration	Optional	Specifies the mode of the website profile for the specified service. The enumerated values include: active - allows or blocks the requests coming to the web application by validating against the URL profiles. passive - validates the requests against the URL profiles and logs the request errors. learning - starts learning the selected web application.
allowed_domains	Alphanumeric	Optional	Specify the domain or IP address of the Service whose requests/responses should be validated against the URL and parameter profiles.
exclude_url_patterns	Alphanumeric	Optional	Specify the URL patterns to be excluded in the URL profile validations.
include_url_patterns	Alphanumeric	Optional	Specify the URL patterns to be included in the URL profile validations in spite of being listed in the exclude_url_patterns parameter.

Example: Updating a Website Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4 -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"website_profiles":{"use_profile":"yes","strict_profile_check":"no","mode":"passive","allowed_domains":["*","www.abc.com","99.99.1.119"],"exclude_url_patterns":["*.jpg","*.txt"],"include_url_patterns":["*.jpeg"]}}'

Response:

{"id":"service_4","token":"eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n"}

To Create a URL Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles
Method: POST
Description: Creates a URL profile with the given values.
Input Parameters:
name	Alphanumeric	Yes	Name of the URL profile.
status	String	Optional	Specify whether or not to validate the requests coming to the specified service using this URL profile. The values include: on off
url	URL	Yes	A URL to be matched to the URL in the request.
extended_match	String	Yes	An expression that consists of a combination of HTTP headers and/or query string parameters. For information on how to write extended match expressions, refer Extended Match Syntax Help.
extended_match_sequence	Numeric	Yes	A number to indicate the order in which the extended match rule must be evaluated in the requests.
mode	String	Optional	The mode of the website profile for this service. passive - Validates the requests against the URL Profile and logs the request errors. active - Allows or blocks the requests coming to this Web application by validating against this URL profile. learning - starts learning the selected web application if Adaptive Profiling 'Status' is set to 'On'.
allow_query_string	String	Optional	Specify whether or not to allow query string in the URL. The values include: yes no
hidden_parameter_protection	Enumeration	Optional	Specify whether or not to protect hidden parameters in the forms and URLs. The enumerated values include: none forms forms_and_urls
csrf_prevention	Enumeration	Optional	Specify whether or not to prevent cross-site request forgery attack on the forms and URLs. The enumerated values include: none forms forms_and_urls
max_content_length	Numeric	Optional	Specify the maximum allowable length of the content, that is, the request body. The Content-Length indicates the size of the content in the request body. Note: Only requests with the Content-Length: headers are validated. Requests encoded using "Chunked Encoding" DO NOT have a Content-Length: header, and therefore are not subject to the Content Length check.
maximum_parameter_name_length	Numeric	Optional	Specify the maximum length of the parameter name in the request.
maximum_upload_files	Numeric	Optional	Specify the maximum number of files that can be uploaded in one request.
blocked_attack_types	String	Optional	Specify the attack types that needs to be matched in the requests/responses. The values include: os_command_injection http_specific_injection remote_file_inclusion_strict remote_file_inclusion ldap_injection sql_injection apache_struts_attacks os_command_injection_strict sql_injection_strict python_php_attacks cross_site_scripting cross_site_scripting_strict
custom_blocked_attack_types	String	Optional	Specify the custom attack types that needs to be matched in the requests/responses.

Example: Creating a URL Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4/url_profiles -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name": "url_test","url":"/index.html","status":"on”,"extended_match_sequence":"2","extended_match":"*","mode":"learning","allow_query_string":"yes","hidden_parameter_protection":"none","csrf_prevention":"none","max_content_length":"1073741823","maximum_parameter_name_length":"1023","maximum_upload_files":"100","comment":"URL Profile"}'

Response:

{"id":"url_test","token":"eyJldCI6IjI2NTk5MzgyMjAiLCJwYXNzd29yZCI6IjNiM2QzZDExYzE5NjhkY2QyYjNhMTMxM2Jm\nNTE5YzczIiwidXNlciI6ImFkbWluIn0=\n"}

To Retrieve a URL Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}
Method: GET
Description: Lists all URL profiles if “url_profile_id” is not specified.
Input Parameters:
parameters	Alphanumeric	Optional	Any specific parameter name that needs to be retrieved.

Example: Retrieving a URL Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4/url_profiles/url_test -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X GET

Response:

{"extended_match_sequence":"2","maximum_parameter_name_length":"10","status":"on","mode":"active","extended_match":"*","blocked_attack_types":["os_command_injection","http_specific_injection","remote_file_inclusion_strict","remote_file_inclusion","ldap_injection","sql_injection","apache_struts_attacks","os_command_injection_strict","sql_injection_strict","python_php_attacks"],"custom_blocked_attack_types":["abcd"],"csrf_prevention":"forms","url":"/index.html","read":"1","id":"url_test","token":"eyJldCI6IjI2NTk5MzgyMjAiLCJwYXNzd29yZCI6IjNiM2QzZDExYzE5NjhkY2QyYjNhMTMxM2Jm\nNTE5YzczIiwidXNlciI6ImFkbWluIn0=\n","max_content_length":"100","allowed_content_types":["text/xml","application/x-www-form-urlencoded"],"hidden_parameter_protection":"forms","name":"url_test","allow_query_string":"yes","display_name":null,"maximum_upload_files":"10","comment":"Test-urlprofile","allowed_methods":["GET","POST"],"referrers_for_the_url_profile":["http://abcd","http://xyz"],"created_by":"Manual","exception_patterns":["sql-quote","script-tag"]}

To Update a URL Profile

Parameter Name	Data Type	Mandatory	Description
URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}
Method: PUT
Description: Updates the values of given parameters in the given URL profile.
Input Parameters:
status	String	Optional	Specifies whether or not to validate the requests coming to the specified service using this URL profile. The values include: on off
url	URL	Optional	Specifies the URL to be matched to the URL in the request.
extended_match	String	Optional	An expression that consists of a combination of HTTP headers and/or query string parameters. For information on how to write extended match expressions, refer Extended Match Syntax Help.
extended_match_sequence	Numeric	Optional	Specifies the number to indicate the order in which the extended match rule must be evaluated in the requests.
mode	String	Optional	Specifies the mode of the website profile for the service. passive - Validates the requests against the URL Profile and logs the request errors. active - Allows or blocks the requests coming to this Web application by validating against this URL profile. learning - starts learning the selected web application if Adaptive Profiling 'Status' is set to 'On'.
allowed_methods	Alphabetic	Optional	Specify the methods to be allowed in the request.
allow_query_string	String	Optional	Specifies whether or not to allow query string in the URL. The values include: yes no
allowed_content_types	Alphabetic	Optional	Specify the content-types to be allowed in the POST body of a URL.
hidden_parameter_protection	Enumeration	Optional	Specifies whether or not to protect hidden parameters in the forms and URLs. The enumerated values include: none forms forms_and_urls
csrf_prevention	Enumeration	Optional	Specifies whether or not to prevent cross-site request forgery attack on the forms and URLs. The enumerated values include: none forms forms_and_urls
max_content_length	Numeric	Optional	Specifies the maximum allowable length of the content, that is, the request body. The Content-Length indicates the size of the content in the request body. Note: Only requests with the Content-Length: headers are validated. Requests encoded using "Chunked Encoding" DO NOT have a Content-Length: header, and therefore are not subject to the Content Length check.
maximum_parameter_name_length	Numeric	Optional	Specifies the maximum length of the parameter name in the request.
referrers_for_the_url_profile	Alphanumeric	Optional	Specify the address (URI) of the resource from which the Request URI was obtained. In case of adaptive profiling, the referrers are learned as the profile sources. This referrer is not same as the Referrer in CSRF protection.
maximum_upload_files	Numeric	Optional	Specifies the maximum number of files that can be uploaded in one request.
exception_patterns	Alphanumeric	Optional	Specify the patterns to be allowed as exceptions in spite of them being part of a malicious pattern group. The configuration should be the exact "Pattern Name" as found on the ADVANCED > View Internal Patterns page or as defined during the creation of a "New Group" through the ADVANCED > Libraries page.
blocked_attack_types	String	Optional	Specifies the attack types that needs to be matched in the requests/responses. The values include: os_command_injection http_specific_injection remote_file_inclusion_strict remote_file_inclusion ldap_injection sql_injection apache_struts_attacks os_command_injection_strict sql_injection_strict python_php_attacks cross_site_scripting cross_site_scripting_strict
custom_blocked_attack_types	String	Optional	Specifies the custom attack types that needs to be matched in the requests/responses.

Example: Updating a URL Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/url_encryption/url_profiles/url_test -u 'eyJldCI6IjE0NjU4Mzg3NjMiLCJwYXNzd29yZCI6IjJmNDM2ZjQxOTdkN2IyZGEwNzBkNTUzMWU1\nY2UzNDUxIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"url":"/index.html","extended_match_sequence":"2","status":"on","extended_match":"*","mode":"active","allow_query_string":"yes","hidden_parameter_protection":"forms","csrf_prevention":"forms","max_content_length":"100","maximum_parameter_name_length":"10","maximum_upload_files":"10","blocked_attack_types":["os_command_injection","http_specific_injection","remote_file_inclusion_strict","remote_file_inclusion","ldap_injection","sql_injection","apache_struts_attacks","os_command_injection_strict","sql_injection_strict"],"comment":"Test-urlprofile","allowed_methods":["GET","POST"],"allowed_content_types":["text/xml","application/x-www-form-urlencoded"],"referrers_for_the_url_profile":["http://abcd","http://xyz"],"exception_patterns":["sql-quote","script-tag"],"custom_blocked_attack_types":["abcd"]}

Response:

{"id":"url_test","token":"eyJldCI6IjE0NjU4NDA0NDYiLCJwYXNzd29yZCI6IjUxZWZlOTI2ZWZhMTVmNTUxZjYxYzM2ZTI3\nNTRkMjg5IiwidXNlciI6ImFkbWluIn0=\n"}

To Delete a URL Profile

URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}

Method: DELETE

Description: Deletes the given URL profile.

Example: Deleting a URL Profile

Request:

curl http://10.11.26.132:8000/restapi/v1/virtual_services/service_4/url_profiles/url_test -u 'eyJldCI6IjI2NTk5MzYzMDUiLCJwYXNzd29yZCI6IjBjMjZlNjRiNTFhYTUxMWE0YzhhN2ZkNzQy\nMTllZTg5IiwidXNlciI6ImFkbWluIn0=\n:' -X DELETE

Response:

{"msg":"Successfully deleted","token":"eyJldCI6IjI2NTk5MzgyMjAiLCJwYXNzd29yZCI6IjNiM2QzZDExYzE5NjhkY2QyYjNhMTMxM2Jm\nNTE5YzczIiwidXNlciI6ImFkbWluIn0=\n"}

To Create a Parameter Profile

Parameter Name	Data Type	Mandatory
URL: /v1/virtual_services/{virtual_service_id}/url_profiles/{url_profile_id}/parameter_profiles
Method: POST
Description: Creates a parameter profile with the given values.