You are here

How to fix: Request blocked with malicious HTTP header

OLD: Affects product: 
Airlock WAF
OLD: Affects version(s): 
4.2.x

A request was blocked, but not by an allow rule or a deny rule configured in the Airlock Configuration Center. What is the problem, what can you do?

Apart from the default deny rules visible in the Configuration Center, Airlock has a few "behind the scenes" HTTP header filters against known attacks. These filters can not be configured in the Configuration Center.

One of them is a filter against XSS in various HTTP headers. If this hidden deny rule is violated, the following filter notification is logged:

Invalid request detected: Request "/xyz" on mapping "xy" blocked with malicious HTTP header "abc" 

It is not possible to create an exception (whitelist) for these global filters. But you can either change the pattern or disable the filter. Please make sure the violation is only false positive, then follow these steps to relax the hidden deny rules:

Use a regular expression tester and change the pattern (<|%3c)[^+*=-].+(>|%3e)|^[^IE].*['\"][^+*=-].*=[^=>] untill it no longer matches the header, for example to: ^[^IE].*['\"][^+*=-].*=[^=>]

In the Configuration Center, got to "Expert Settings" -> "Security Gate" and add the following line into the text area, click on the "Submit" button, then activate the configuration:SecurityGateway * AuthproxyFilterDenyHeaderRegex.0 "^[^IE].*['\"][^+*=-].*=[^=>]"

To disable for example the whole XSS header deny rule, use _UNDEFINED_ (without quotes!) as value.

 SecurityGateway * AuthproxyFilterDenyHeaderRegex.0 "[^[:print:][:space:]]"
SecurityGateway * AuthproxyFilterDenyHeaderRegex.1 _UNDEFINED_

Make sure the still active ("defined") rules starts with AuthproxyFilterDenyHeaderRegex.0

Knowledge Base Categories: