static http argument in Wt
Added by nourieh sadat zabetzadeh about 2 years ago
Hello
good morning
I write a wt project. when i work with my project and forward requests to it from browser, the http args in diffrent requests is diffrent (random), while i need to be static. how can i do that?
Thank you in advance for your reply
Replies (8)
RE: static http argument in Wt - Added by Roel Standaert about 2 years ago
We usually do put things like the session id in the HTTP request.
Why do you need it to be static? What's your use case?
RE: static http argument in Wt - Added by nourieh sadat zabetzadeh about 2 years ago
I want to put that project behind the waf and to fix the false positive, the names of the arguments must be fixed so that some rules can be pruned.
RE: static http argument in Wt - Added by nourieh sadat zabetzadeh almost 2 years ago
I put my project behind the waf and get very false positive, If http argument names are static, I can easily fix this false positives based on these argument names. how can i static the http argument names in wt?
Thank you in advance for your reply
RE: static http argument in Wt - Added by Roger Man almost 2 years ago
That's my question too.
I understand that random argument names is performed to mitigate automatic form submissions. But with Web Application Firewalls which propose good security countermeasures, one will need fixed argument names in order to eradicate the false positives.
Is there any configuration parameter to make Wt apps assign fixed argument names?
Regards
RE: static http argument in Wt - Added by Roel Standaert almost 2 years ago
So it's the argument names you're talking about, not the values? What argument names are you talking about? The ones that start with an "o"?
RE: static http argument in Wt - Added by Roger Man almost 2 years ago
Yes
I definitely talk about argument names,
I see the arguments starting with an "o" and also starting with an "e".
I don't know the difference, but with Web Application Firewalls, false positives might arise with any argument!
Regards
RE: static http argument in Wt - Added by Roel Standaert almost 2 years ago
All Wt widgets get an object id, prefixed with o. This is generated automatically, simply to guarantee that they are all unique. Making it harder for bots to do automatic form submissions is just a side effect of that, not its main purpose. When the state of a widget is sent to the server, it is put in a parameter named after the id of the widget.
When we bundle multiple events into one request, we use the e prefix to distinguish between the different events (the first event is not prefixed, the next one gets prefix e1, and so on).
Which web application firewall are you using? I don't know in what way we could make Wt's communication easier to digest by web application firewalls, so we'd need to test that if we want to do that.
RE: static http argument in Wt - Added by Roger Man almost 2 years ago
Hi
The most common open source WAF: [Modsecurity[https://github.com/SpiderLabs/ModSecurity]].