White list based input validation for parameters
nevisProxy features request parameter validation using white listing and the filter called "Input validation, white listing" may be used to get assistance by nevisAdmin using this feature by implementing self-learning functionality. The self-learning feature uses an audit log file, which is written by an InputValidationFilter configured within nevisProxy. nevisAdmin automatically reads the data from the audit log file every hour and creates a rule set, using regular expressions, representing the request parameters which shall be allowed to be transmitted to the application server.
Create a new "Input validation, white listing" filter within your environment.
Set the mode to "learn" and assign it to the mapping of your application. Then commit and deploy your environment. nevisProxy now starts to write the audit log containing all relevant request data of users accessing your application.
nevisAdmin automatically updates the rules and you may review the patterns within the filter view and decide for which parameter you want to activate the rules.info
nevisAdmin suggests which rules to use based on the settings made within the filer. See the filter's help page for more information about the parameters.
You can change the mode to "enforce", commit and deploy your configuration as soon as the learning phase is finished.
nevisProxy verifies for each parameter if a pattern exists and, from then on, only allows these parameters if the specified pattern matches. Parameters for which no pattern has been defined are allowed.