Starting with version 8.0, the Cequence Unified API Protection (UAP) platform introduces Rulesets as organizational containers for related rules, similar to folders. The "Web Application Firewall Threats" ruleset contains all WAF-related detection rules, providing clear hierarchy and organization.
System WAF rules structure
The system includes 40 pre-configured WAF rules. Each rule corresponds to a specific AWS WAF detection type and evaluates the presence of particular headers in incoming requests. These rules are displayed on the System Rules page of the Cequence UAP platform under the "Web Application Firewall Threats" ruleset.
Note: You can selectively disable any of these rules from within the System Rules page.
WAF Rules are enforced by WAF policies, which can map to one or more rules.
The following sections describe the various WAF rules that the Cequence WAAP uses.
Disabling specific WAF rules
To disable specific WAF rules, select the rule or rules on the Threat Protection Rules page.
Once you've selected a rule or set of rules, click a state in the New Rule State section of the Change Rule State pane to change the state of the selected rules.
- Changing the rule state to OFF prevents the rules from triggering for future transactions. You won't see the rule trigger on new transactions in the Mitigation page. Any instances of rules that triggered before the change are still true.
- The EXPERIMENTAL rule state prevents rules that trigger from incrementing the confidence score of transactions. Triggered rules still appear on the Mitigation page for transactions that triggered them.
Note: Changing the state of WAF Rules does not affect policies from taking action on transactions with those threat types. If the transaction's confidence score still matches a policy's conditions, the policy will still take effect. To stop taking action on a threat type, change the state of the corresponding Policy or Policies to remove those criteria. Configuring WAF Policies discusses disabling specific WAF policies.
WAF Rules Detected by Cequence
This section lists the various WAF threat types detected by Cequence.
Bot Detection and User Agent Rules
Rules that identify and block malicious bots and requests with suspicious or missing user-agent headers.
| ID | Name | Description | Used in policy |
| W001 | NoUserAgent_HEADER | Detects requests missing the User-Agent header, which is commonly associated with automated tools and bots. | No User Agent Header |
| W002 | UserAgent_BadBots_HEADER | Identifies known malicious bot user-agent strings in request headers. | User-Agent Bad Bots Header |
Size Restriction Rules
Rules that prevent buffer overflow and denial-of-service attacks by limiting the size of various request components.
| ID | Name | Description | Used in policy |
| W003 | SizeRestrictions_QUERYSTRING | Blocks requests with excessively long query strings that may indicate attack attempts or buffer overflow exploits. | Size Restrictions Exceeded |
| W004 | SizeRestrictions_Cookie_HEADER | Blocks requests with excessively large cookie headers that may indicate session hijacking or overflow attacks. | Size Restrictions Exceeded |
| W005 | SizeRestrictions_BODY | Blocks requests with excessively large request bodies that exceed normal application requirements. | Size Restrictions Exceeded |
| W006 | SizeRestrictions_URIPATH | Blocks requests with excessively long URI paths that may indicate directory traversal or overflow attacks. | Size Restrictions Exceeded |
Server-Side Request Forgery (SSRF) Rules
Rules that detect attempts to exploit SSRF vulnerabilities to access internal resources like EC2 metadata services.
| ID | Name | Description | Used in policy |
| W007 | EC2MetaDataSSRF_BODY | Detects attempts to exploit Server-Side Request Forgery (SSRF) to access EC2 instance metadata through the request body. | EC2 Metadata Exfiltration |
| W008 | EC2MetaDataSSRF_COOKIE | Detects attempts to exploit Server-Side Request Forgery (SSRF) to access EC2 instance metadata through cookies. | EC2 Metadata Exfiltration |
| W009 | EC2MetaDataSSRF_URIPATH | Detects attempts to exploit Server-Side Request Forgery (SSRF) to access EC2 instance metadata through the URI path. | EC2 Metadata Exfiltration |
| W010 | EC2MetaDataSSRF_QUERYARGUMENTS | Detects attempts to exploit Server-Side Request Forgery (SSRF) to access EC2 instance metadata through query parameters. | EC2 Metadata Exfiltration |
| W028 | Host_localhost_HEADER | Detects requests with localhost or loopback addresses in the Host header, which may indicate SSRF or header manipulation attacks. | Host matches localhost |
File Inclusion Attack Rules
Rules that protect against Local File Inclusion (LFI) and Remote File Inclusion (RFI) attacks attempting to access or execute unauthorized files.
| ID | Name | Description | Used in policy |
| W011 | GenericLFI_QUERYARGUMENTS | Detects Local File Inclusion (LFI) attempts in query parameters that try to access sensitive files on the server. | Generic Local File Inclusion |
| W012 | GenericLFI_URIPATH | Detects Local File Inclusion (LFI) attempts in the URI path that try to access sensitive files on the server. | Generic Local File Inclusion |
| W013 | GenericLFI_BODY | Detects Local File Inclusion (LFI) attempts in the request body that try to access sensitive files on the server. | Generic Local File Inclusion |
| W014 | RestrictedExtensions_URIPATH | Blocks requests attempting to access files with restricted or potentially dangerous file extensions in the URI path. | Restricted Extensions |
| W015 | RestrictedExtensions_QUERYARGUMENTS | Blocks requests attempting to access files with restricted or potentially dangerous file extensions in query parameters. | Restricted Extensions |
| W016 | GenericRFI_QUERYARGUMENTS | Detects Remote File Inclusion (RFI) attempts in query parameters that try to include malicious remote files. | Generic Remote File Inclusion |
| W017 | GenericRFI_BODY | Detects Remote File Inclusion (RFI) attempts in the request body that try to include malicious remote files. | Generic Remote File Inclusion |
| W018 | GenericRFI_URIPATH | Detects Remote File Inclusion (RFI) attempts in the URI path that try to include malicious remote files. | Generic Remote File Inclusion |
Cross-Site Scripting (XSS) Rules
Rules that identify and block XSS attack patterns across different request components to prevent client-side code injection.
| ID | Name | Description | Used in policy |
| W019 | CrossSiteScripting_COOKIE | Detects Cross-Site Scripting (XSS) attack patterns in cookie values. | Cross Site Scripting |
| W020 | CrossSiteScripting_QUERYARGUMENTS | Detects Cross-Site Scripting (XSS) attack patterns in query parameters. | Cross Site Scripting |
| W021 | CrossSiteScripting_BODY | Detects Cross-Site Scripting (XSS) attack patterns in the request body. | Cross Site Scripting |
| W022 | CrossSiteScripting_URIPATH | Detects Cross-Site Scripting (XSS) attack patterns in the URI path. | Cross Site Scripting |
Remote Code Execution (RCE) Rules
Rules that protect against various remote code execution vulnerabilities, including Java deserialization and Log4j exploits.
| ID | Name | Description | Used in policy |
| W024 | JavaDeserializationRCE_HEADER | Detects Java deserialization Remote Code Execution (RCE) exploit patterns in request headers. | Java Deserialization |
| W025 | JavaDeserializationRCE_BODY | Detects Java deserialization Remote Code Execution (RCE) exploit patterns in the request body. | Java Deserialization |
| W026 | JavaDeserializationRCE_URIPATH | Detects Java deserialization Remote Code Execution (RCE) exploit patterns in the URI path. | Java Deserialization |
| W027 | JavaDeserializationRCE_QUERYSTRING | Detects Java deserialization Remote Code Execution (RCE) exploit patterns in the query string. | Java Deserialization |
| W031 | Log4JRCE_HEADER | Detects Log4Shell (Log4j) Remote Code Execution exploit patterns in request headers. | Log4J Remote Code Execution |
| W032 | Log4JRCE_QUERYSTRING | Detects Log4Shell (Log4j) Remote Code Execution exploit patterns in the query string. | Log4J Remote Code Execution |
| W033 | Log4JRCE_BODY | Detects Log4Shell (Log4j) Remote Code Execution exploit patterns in the request body. | Log4J Remote Code Execution |
| W034 | Log4JRCE_URIPATH | Detects Log4Shell (Log4j) Remote Code Execution exploit patterns in the URI path. | Log4J Remote Code Execution |
SQL Injection Rules
Rules that detect and prevent SQL injection attacks, including both standard and advanced obfuscated patterns.
| ID | Name | Description | Used in policy |
| W035 | SQLi_QUERYARGUMENTS | Detects SQL injection attack patterns in query parameters. | SQL Injection |
| W036 | SQLiExtendedPatterns_QUERYARGUMENTS | Detects advanced and obfuscated SQL injection attack patterns in query parameters. | SQL Injection |
| W037 | SQLi_BODY | Detects SQL injection attack patterns in the request body. | SQL Injection |
| W038 | SQLiExtendedPatterns_BODY | Detects advanced and obfuscated SQL injection attack patterns in the request body. | SQL Injection |
| W039 | SQLi_COOKIE | Detects SQL injection attack patterns in cookie values. | SQL Injection |
| W040 | SQLi_URIPATH | Detects SQL injection attack patterns in the URI path. | SQL Injection |
Access Control and Administrative Protection Rules
Rules that control access to sensitive administrative areas and block unauthorized reconnaissance attempts.
| ID | Name | Description | Used in policy |
| W023 | AdminProtection_URIPATH | Blocks unauthorized access attempts to administrative paths and endpoints. | Admin Protection |
| W029 | PROPFIND_METHOD | Blocks PROPFIND HTTP method requests commonly used in WebDAV-based attacks and reconnaissance. | PropFind Method |
| W030 | ExploitablePaths_URIPATH | Blocks requests to commonly exploitable paths and directories that are frequently targeted by attackers. | Exploitable Paths in URI Path |