You can use the App Firewall screen to configure what payload data is collected, where it is stored and the specific attack patterns that
By default, in order to provide the most context about attacks, payload data is sent to the
Important note: Before using
csrftoken. Agents will not send values of the parameters in either list to the
Agents always provide a sanitized version of the request URI for App Firewall events to the service. If the Collect full (unsanitized) URIs option is enabled,
The parameters in the "Exclude sending payloads for parameters" list and the default sensitive parameters WILL still be sent to tCell if this option is enabled and the URI contains them.
It’s possible to exclude specific routes and paths from being monitored for a specific pattern. Most commonly this is done when the pattern is generating too many false positives. To do this, on the right side of the pattern click on Add and enter the route or pattern to exclude.
For more information regarding App Firewall check out the SQL Injection user guide.
XXE detection can be enabled in the App Firewall policy.
- Navigate to the Policies screen and click on the App Firewall tab.
- Scroll down to the section titled "XML External Entity (XXE)". Check the box labeled "Enabled".
- Users who want to catch all possible malicious XML payloads should check the box next to the default "tc-xxe-1" pattern, under "Regular Expressions (Pattern ID)". Advanced users may want to add and enable their own regular expressions.
- Click "Deploy" on the banner at the bottom of the screen. XXE detection can be enabled in the App Firewall policy.
FAQ: Can I enable XXE with no regular expressions?
Users must enable at least one XXE regular expression to see XXE events in tCell.
The Whitelist Rules configuration option allows users to exclude certain requests from triggering tCell events, by matching regular expressions to request fields.
Whitelist Rules can be useful when a default tCell regex matches a request field value that is common or expected in your application. Instead of sifting through many false positive events, or excluding a specific request field entirely using Event Filtering, users can configure a Whitelist Rule that covers the expected values for that field.
The Whitelist Rules option is at the bottom of the App Firewall policy configuration page. There are multiple parts to a Whitelist Rule:
- An optional description
- Whether the rule is enabled or disabled. This can be toggled using the checkbox labeled "Enabled".
- A Route OR Path to match.
- Routes: Any Route discovered by tCell in the current application can be selected using the dropdown, or the field can be left empty to match all Routes.
- Paths: Select a request method, then enter the value of a Path. For Whitelist Rules, "Null Paths" do not apply and should not be used.
- A field on which to apply the regular expression. Select the field type (e.g. HTTP header, query parameter, etc) and enter the parameter name.
- A regular expression. Users can choose any regex previously defined in tCell, or create a new one. Make sure to click "Save selection" after selecting a regex.
To create a new rule, click "Add", fill in the form, then save the rule and deploy your changes.
The following agent versions support Whitelist Rules:
- JVM Agent >= 1.4.0
For a request to match,
- The request must contain the field configured in the Whitelist Rule.
- The field's value must match the regex configured in the rule.
- Given an event with a specific Detection Point (e.g. XXS), the detection event must have been triggered by the field configured in the rule. If a Detection Point applies to another field in the request that is not configured in a Whitelist Rule, a corresponding event will still be sent.
For example, given the following rule:
This rule will match any GET requests to
/ with the query parameter
p_name's value contains
tcell. Now consider the following request:
The Whitelist Rule above matches this request, and the XSS event that would have been sent is ignored. Now consider a slightly different request:
In this case, an XXS event would still be sent, since the rule did not match the field which triggered the XXS event.
This tab allows you to configure Suspicious Actor settings. You can select the Automatic blocking of Suspicious Actors mode that you prefer. All IPs currently identified by tCell as suspicious will be listed under Suspicious IPs.
This tab allows you to add URI paths or IP addresses to block from accessing your app. The IP blacklist function is unrelated to the Automatic blocking of Suspicious Actors setting, and will work if the Blocking Rules Enabled option is selected.
You can add comments for any IP that you have added to the whitelist and blacklist by clicking on the small note icon to the right of the IP.
Updated about a year ago