Default WAF Policy
Learn about the default protections provided by NGINX Controller App Security.
You can use the NGINX Controller App Security module to configure and manage a web application firewall (WAF). The App Security WAF protects your applications from HTTP and web-based threats, including the OWASP Top 10.
NGINX Controller App Security provides out-of-the-box analytics events and metrics, which are reported through the NGINX Controller API and user interface. App Security works with NGINX App Protect, running NGINX Plus as the WAF in the data path.
The default policy for App Security WAF in NGINX Controller focuses on OWASP Top 10 protection. This policy is the same default policy that is used by NGINX App Protect.
The default policy for NGINX Controller App Security WAF includes these security checks:
|HTTP RFC compliance enforcement||Validation of HTTP requests to prevent the use of the HTTP protocol as an entry point for malicious requests to applications.|
|URL normalization||Decoding of requests for encoded request that contain different types of encoded escapes|
|Evasion techniques||Protection for techniques commonly used by hackers to access resources or evade what would otherwise be identified as an attack. The checks performed are:
|Malformed cookie||Validates that the cookie format is RFC compliant.|
|Illegal status code||Responses in the 400–500 range – except for
|Request size exceeds the buffer||Requests that exceed the buffer size|
|Maximum length for URL, header, query string, cookie, and POST data||URL length: 2048
Header length: 4096
Query string length: 2048
Cookie length: 4096
Post data length: 4096
|Disallowed file type extension||These file types are disallowed:
|Allowed methods||Only these HTTP methods are allowed:
|Character/Metacharacter validation in URL and header||Metacharacters are checked in the URL and header.|
|Parameter parsing||NGINX Controller App Security auto-detects the payload type for JSON and XML. App Security then applies the signature that matches the correct format.|
|JSON format||If the content is JSON, then App Security checks that the JSON payload body is well-formed. The max structure depth and max array length may not exceed 25. The max structure depth and max array length may not exceed 25.
No JSON schema enforcement.
|DTD XML format||If the content is XML, then App Security checks that an XML payload body is well-formed.
No XML schema enforcement. No SOAP and Web Services Security format enforcement.
The following signature attack types are included with the default NGINX Controller App Security WAF policy. These attack types protect against OWASP Top 10 vulnerabilities and CVEs. Low, medium, and high accuracy signatures generate events as part of assessing the Violation Rating.
- Command Execution Signatures
- Cross-Site Scripting Signatures
- Directory Indexing Signatures
- Information Leakage Signatures
- OS Command Injection Signatures
- Path Traversal Signatures
- Predictable Resource Location Signatures
- Remote File Include Signatures
- SQL Injection Signatures
- Authentication/Authorization Attacks Signatures
- XML External Entity (XXE) Signatures
- XPath Injection Signatures
- Buffer Overflow Signatures
- Denial of Service Signatures
- Vulnerability Scanner Signatures
The default policy for App Security assesses violations and provides a Violation Rating. This rating is an NGINX App Protect computed assessment of the risk of the request and its likelihood of an attack based on the triggered violations.
NGINX App Protect violations are rated to distinguish between attacks and potential false-positive alerts. A rating is assigned to requests based on the presence of one or more violations. Each violation type and severity contribute to the calculation of the Violation Rating assigned to a request.
The possible Violation Ratings are:
- 0: No violation (no event available)
- 1: Possible False Positive (no event available)
- 2: Most Likely False positive (no event available)
- 3: Needs examination
- 4: Possible Attack
- 5: Most Likely Attack
The Violation Rating is a dimension in Security Violation Events. NGINX App Protect rejects requests that have a Violation Rating of
4 (Possible Attack) or
5 (Most Likely an Attack). However, the following violations and signature sets have a low chance of being false positives and are, therefore, configured by default to reject the request regardless of its Violation Rating:
- High accuracy attack signatures
- Threat campaigns
- Malformed request: unparsable header, malformed cookie, and malformed body (JSON or XML).
With the default policy, all requests rejected by NGINX App Protect generate a Security Event in NGINX Controller. Requests with Violation Rating of
3 (Needs examination)also generate a Security Event in NGINX Controller. All other requests do not generate a Security Event in NGINX Controller.
Note the following events are blocked by NGINX Plus and not by the NGINX Controller App Security policy. These events are not reported in NGINX Controller as security violation events.
|HTTP RFC Compliance Checks||Description|
|Unparsable request content||This violation is triggered when the system’s parser cannot parse the message.|
|Several Content-Length headers||More than one content-length header is a non-RFC violation. Indicates an HTTP response splitting attack.|
|NULL in header||The system issues a violation for requests with a NULL character in the header.|
|No Host header in HTTP/1.1 request||Check to see if HTTP/1/1 requests contain a “Host” header.|
|High ASCII characters in headers||Check for high ASCII characters (greater than 127) in headers.|
|Content length should be a positive number||The Content-Length header value should be greater than zero; only a numeric positive number value is accepted.|
|Bad HTTP version||Enforces legal HTTP version number (only 0.9 or higher allowed).|
This documentation applies to the following versions of NGINX Controller: 3.12, 3.13, 3.14, 3.15, 3.16.1, 3.17, 3.18, 3.18.1, 3.18.2 and 3.18.3.