# Workflow as Code Reference

# Index

Data Modification
Security
Response
API security
Attributes
Miscellaneous

# Functions list

# Data Modification

# Function ActionBodyVariableAdd

Add a body variable.

ActionBodyVariableAdd(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the variable to create

# Optional Parameters

value: The value to set for this variable.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body.vars (TableAttribute)

# Function ActionBodyVariableSet

Set a body variable.

ActionBodyVariableSet(Args{
    "key": "",
    "capture": "false",
})

1
2
3
4

# Mandatory Parameters

key: The name of the variable to set
capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

capture_re: The regexp to capture the original value
modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
value: The value to set for this variable. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body.vars (TableAttribute)

# Function ActionBodyVariableUnset

Unset a body variable.

ActionBodyVariableUnset(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the variable to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body.vars (TableAttribute)

# Function ActionCookieAdd

Add a new cookie in the cookie table.

ActionCookieAdd(Args{
    "name": "",
    "cookie-name": "",
    "cookie-secure": "false",
    "cookie-httpOnly": "false",
})
// returns ${params[name]}

1
2
3
4
5
6
7

# Mandatory Parameters

name: An attribute name is required (eg: http.request.cookies).
cookie-name: The name of the cookie (eg: PHPSESSID).
cookie-secure: The cookie secure flag
cookie-httpOnly: The cookie httpOnly flag

# Optional Parameters

cookie-value: The value to set for the cookie.
cookie-path: The cookie path
cookie-domain: The cookie domain
cookie-attributes: The custom cookie attributes(s)/flag(s) (separated by 😉

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (TableAttribute)

# Function ActionCookieSet

Set a new cookie in the cookie table.

ActionCookieSet(Args{
    "name": "",
    "cookie-name": "",
    "cookie-secure": "false",
    "cookie-httpOnly": "false",
})
// returns ${params[name]}

1
2
3
4
5
6
7

# Mandatory Parameters

name: An attribute name is required (eg: http.request.cookies).
cookie-name: The name of the cookie (eg: PHPSESSID).
cookie-secure: The cookie secure flag
cookie-httpOnly: The cookie httpOnly flag

# Optional Parameters

cookie-value: The value to set for the cookie.
cookie-path: The cookie path
cookie-domain: The cookie domain
cookie-attributes: The custom cookie attributes(s)/flag(s) (separated by 😉

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (TableAttribute)

# Function ActionCryptoSymDecrypt

Decrypt data using a symmetric key.

ActionCryptoSymDecrypt(Args{
    "decrypt.input": "",
    "decrypt.algorithm": "AES256_cbc",
    "decrypt.key": "",
})
// returns decrypt.err_message, decrypt.failure, decrypt.output

1
2
3
4
5
6

# Mandatory Parameters

decrypt.input: Plain text to decrypt.
decrypt.algorithm: Decryption algorithm used.
- AES128_cbc: AES128 cbc
- AES128_cfb128: AES128 cfb128
- AES128_ofb: AES128 ofb
- AES128_ctr: AES128 ctr
- AES128_ccm: AES128 ccm (Authenticated)
- AES128_gcm: AES128 gcm (Authenticated)
- AES128_ecb: AES128 ecb (insecure, not recommended)
- AES128_cfb1: AES128 cfb1 (insecure, not recommended)
- AES128_cfb8: AES128 cfb8 (insecure, not recommended)
- AES192_cbc: AES192 cbc
- AES192_cfb128: AES192 cfb128
- AES192_ofb: AES192 ofb
- AES192_ctr: AES192 ctr
- AES192_ccm: AES192 ccm (Authenticated)
- AES192_gcm: AES192 gcm (Authenticated)
- AES256_cbc: AES256 cbc
- AES256_cfb128: AES256 cfb128
- AES256_ofb: AES256 ofb
- AES256_ctr: AES256 ctr
- AES256_ccm: AES256 ccm (Authenticated)
- AES256_gcm: AES256 gcm (Authenticated)
- AES192_ecb: AES192 ecb (insecure, not recommended)
- AES192_cfb1: AES192 cfb1 (insecure, not recommended)
- AES192_cfb8: AES192 cfb8 (insecure, not recommended)
- AES256_ecb: AES256 ecb (insecure, not recommended)
- AES256_cfb1: AES256 cfb1 (insecure, not recommended)
- AES256_cfb8: AES256 cfb8 (insecure, not recommended)
decrypt.key: Decryption key as a binary string. Warning: key size is constrained by algorithm type selected (128, 192 or 256 bits).

# Optional Parameters

decrypt.salt: Random binary string used to compute encryption. Mandatory for decryption.
decrypt.aad: Additional Authentication Data for encryption specified as binary string.
decrypt.tag: TAG (MAC) used to validate decryption.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

decrypt.err_message (StringAttribute)
decrypt.failure (BooleanAttribute)
decrypt.output (StringAttribute)

# Function ActionCryptoSymEncrypt

Encrypt data using a symmetric key.

ActionCryptoSymEncrypt(Args{
    "encrypt.input": "",
    "encrypt.algorithm": "AES256_cbc",
})
// returns encrypt.aad, encrypt.err_message, encrypt.failure, encrypt.key, encrypt.output, encrypt.salt, encrypt.tag

1
2
3
4
5

# Mandatory Parameters

encrypt.input: Plain text to encrypt.
encrypt.algorithm: Encryption algorithm used.
- AES128_cbc: AES128 cbc
- AES128_cfb128: AES128 cfb128
- AES128_ofb: AES128 ofb
- AES128_ctr: AES128 ctr
- AES128_ccm: AES128 ccm (Authenticated)
- AES128_gcm: AES128 gcm (Authenticated)
- AES128_ecb: AES128 ecb (insecure, not recommended)
- AES128_cfb1: AES128 cfb1 (insecure, not recommended)
- AES128_cfb8: AES128 cfb8 (insecure, not recommended)
- AES192_cbc: AES192 cbc
- AES192_cfb128: AES192 cfb128
- AES192_ofb: AES192 ofb
- AES192_ctr: AES192 ctr
- AES192_ccm: AES192 ccm (Authenticated)
- AES192_gcm: AES192 gcm (Authenticated)
- AES256_cbc: AES256 cbc
- AES256_cfb128: AES256 cfb128
- AES256_ofb: AES256 ofb
- AES256_ctr: AES256 ctr
- AES256_ccm: AES256 ccm (Authenticated)
- AES256_gcm: AES256 gcm (Authenticated)
- AES192_ecb: AES192 ecb (insecure, not recommended)
- AES192_cfb1: AES192 cfb1 (insecure, not recommended)
- AES192_cfb8: AES192 cfb8 (insecure, not recommended)
- AES256_ecb: AES256 ecb (insecure, not recommended)
- AES256_cfb1: AES256 cfb1 (insecure, not recommended)
- AES256_cfb8: AES256 cfb8 (insecure, not recommended)

# Optional Parameters

encrypt.key: Encryption key as a binary string, keep blank for automatic random value computation. Warning: key size is constrained by algorithm type selected (128, 192 or 256 bits).
encrypt.salt: Salt/IV as binary string, keep blank for automatic random value computation. Warning: salt/IV size is constrained by algorithm type selected.
encrypt.aad: Additional authentication data for encryption specified as binary string.
encrypt.tag: Encryption TAG size (MAC).
- 4: 4
- 6: 6
- 10: 10
- 12: 12
- 14: 14
- 16: 16

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

encrypt.aad (StringAttribute)
encrypt.err_message (StringAttribute)
encrypt.failure (BooleanAttribute)
encrypt.key (StringAttribute)
encrypt.output (StringAttribute)
encrypt.salt (StringAttribute)
encrypt.tag (StringAttribute)

# Function ActionDigest

Compute digest from data.

ActionDigest(Args{
    "digest.input": "",
    "digest.algorithm": "SHA256",
})
// returns digest.err_message, digest.failure, digest.output

1
2
3
4
5

# Mandatory Parameters

digest.input: Input data on which digest needs to be computed.
digest.algorithm: Digest algorithm to compute.
- SHA224: SHA224
- SHA256: SHA256
- SHA384: SHA384
- SHA512: SHA512
- WHIRLPOOL: WHIRLPOOL
- MD4: MD4 (insecure, not recommended)
- MD5: MD5 (insecure, not recommended)
- RIPEMD160: RIPEMD160 (insecure, not recommended)
- SHA1: SHA1 (insecure, not recommended)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

digest.err_message (StringAttribute)
digest.failure (BooleanAttribute)
digest.output (StringAttribute)

# Function ActionExtractExtraParameters

Extract parameters from a user-defined string.

ActionExtractExtraParameters(Args{
    "table.name": "",
    "input": "",
    "pv-pair.delimiter": "",
    "pv.delimiter": "",
    "empty.params": "false",
})
// returns ${params[table.name]}, extract.extra.parameters.err_message, extract.extra.parameters.failed

1
2
3
4
5
6
7
8

# Mandatory Parameters

table.name: An attribute name is required (eg: http.request.query.vars).
input: Input string where parameters are to be parsed.
pv-pair.delimiter: The separator between two <param-value> pairs.
pv.delimiter: The separator between a param and its value.
empty.params: Ignore parameters with no names

# Optional Parameters

start: Starting pattern. Will search for <variable-value> pairs from here.
end: Ending pattern. Will stop searching for <variable-value> pairs from here.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[table.name]} (TableAttribute)
extract.extra.parameters.err_message (StringAttribute)
extract.extra.parameters.failed (BooleanAttribute)

# Function ActionHostnameMapping

Replace hostnames on cookies, headers and body, in an html document.

ActionHostnameMapping(Args{
    "public.hostname": "",
    "private.hostname": "",
    "do.cookies": "false",
    "do.body": "false",
    "do.headers": "false",
})

1
2
3
4
5
6
7

# Mandatory Parameters

public.hostname: The public hostname, which is the replacement of the private hostname
private.hostname: The private hostname, which will be replaced by public hostname
do.cookies: Change hosts in cookies
do.body: Change hosts in body
do.headers: Change hosts in headers

# Optional Parameters

force.http: Works in BODY ONLY. Change hosts only when prefixed with http:// or https://
all.headers: Check all headers for host change
custom.headers: Specify a list a headers to check for host change. It must be a comma or space separated header list.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.response.body (StringAttribute)
http.response.cookies (TableAttribute)
http.response.headers (TableAttribute)

# Function ActionModifyContent

Response content modification (type text/* only).

ActionModifyContent(Args{
    "src.type": "string",
    "src": "",
    "dst": "",
})

1
2
3
4
5

# Mandatory Parameters

src.type: Source type: simple string or regular expression.
- string: String
- regex: RegularExpression
src: Source text to be replaced (type: string), or regular expression to change when matches (type: regex)
dst: Replacement text. Can contain captures from regex with \1, \2, ...

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.response.body (StringAttribute)
http.response.headers (TableAttribute)

# Function ActionQueryVariableAdd

Add a query variable.

ActionQueryVariableAdd(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the variable to create

# Optional Parameters

value: The value to set for this variable.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.query.vars (TableAttribute)

# Function ActionQueryVariableSet

Set a query variable.

ActionQueryVariableSet(Args{
    "key": "",
    "capture": "false",
})

1
2
3
4

# Mandatory Parameters

key: The name of the variable to set
capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

capture_re: The regexp to capture the original value
modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
value: The value to set for this variable. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.query.vars (TableAttribute)

# Function ActionQueryVariableUnset

Unset a query variable.

ActionQueryVariableUnset(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the variable to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.query.vars (TableAttribute)

# Function ActionRequestHeaderAdd

Add a request header.

ActionRequestHeaderAdd(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the header to create

# Optional Parameters

value: The value to set for this header.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.headers (TableAttribute)

# Function ActionRequestHeaderSet

Set a request header.

ActionRequestHeaderSet(Args{
    "key": "",
    "capture": "false",
})

1
2
3
4

# Mandatory Parameters

key: The name of the header to set
capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

capture_re: The regexp to capture the original value
modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
value: The value to set for this header. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.headers (TableAttribute)

# Function ActionRequestHeaderUnset

Unset a request header.

ActionRequestHeaderUnset(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the header to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.headers (TableAttribute)

# Function ActionResponseHeaderAdd

Add a response header.

ActionResponseHeaderAdd(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the header to create

# Optional Parameters

value: The value to set for this header.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.response.headers (TableAttribute)

# Function ActionResponseHeaderSet

Set a response header.

ActionResponseHeaderSet(Args{
    "key": "",
    "capture": "false",
})

1
2
3
4

# Mandatory Parameters

key: The name of the header to set
capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

capture_re: The regexp to capture the original value
modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
value: The value to set for this header. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.response.headers (TableAttribute)

# Function ActionResponseHeaderUnset

Unset a response header.

ActionResponseHeaderUnset(Args{
    "key": "",
})

1
2
3

# Mandatory Parameters

key: The name of the header to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.response.headers (TableAttribute)

# Function ActionRewriteRule

Rewrite the URL (path[?query]) using capturing/substitution regexps.

ActionRewriteRule(Args{
    "capture_re": "^(.*)$",
    "replace_re": "\1",
    "proxy": "false",
})

1
2
3
4
5

# Mandatory Parameters

capture_re: The regexp to capture the original URL (path[?query]).
replace_re: The regexp to replace the captured URL.
proxy: Whether to rewrite the backend Host/IP/Port or not (default).

# Optional Parameters

replace_flags: The regexp flags used for replacement [perl gmixs].
host: The Host header sent to the backend.
ip: The IP/Hostname used to connect the backend.
port: The port used to connect the backend.
ssl: Whether to use SSL with the backend or not (default).

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.headers (TableAttribute)
http.request.path (StringAttribute)
http.request.query (StringAttribute)

# Function ActionSign

Sign data bloc.

ActionSign(Args{
    "sign.input": "",
    "sign.algorithm": "RSA",
    "digest.algorithm": "SHA256",
})
// returns sign.err_message, sign.failure, sign.output

1
2
3
4
5
6

# Mandatory Parameters

sign.input: Plain text to sign.
sign.algorithm: Digest algorithm used for signature.
- RSA: RSA
- HMAC: HMAC
- RSA-PSS: RSA-PSS
digest.algorithm: Digest algorithm used for signature.
- SHA224: SHA224
- SHA256: SHA256
- SHA384: SHA384
- SHA512: SHA512
- WHIRLPOOL: WHIRLPOOL
- MD4: MD4 (insecure, not recommended)
- MD5: MD5 (insecure, not recommended)
- RIPEMD160: RIPEMD160 (insecure, not recommended)
- SHA1: SHA1 (insecure, not recommended)

# Optional Parameters

keystored: Set to 'No' with HMAC to specify the passphrase here.
- true: Yes (recommended)
- false: No
passphrase: Passphrase to use for HMAC.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

sign.err_message (StringAttribute)
sign.failure (BooleanAttribute)
sign.output (StringAttribute)

# Security

# Function ActionICXSecurityEngine

Execute ICX using the specified configuration.

ActionICXSecurityEngine(Args{
    "configuration": "", // ICXConfiguration
    "decodeLOS": "0",
    "switchEmptyValue": "true",
    "bodyUsed": "64",
    "icxCacheEntryCount": "4096",
})
// returns icx.blocking.reason, icx.blocking.rules, icx.policy.name, icx.policy.uid, icx.request.blocked, icx.request.processed

1
2
3
4
5
6
7
8

# Mandatory Parameters

configuration: ICX Configuration (profile) to use.
decodeLOS: Customize LOS encoded data policy (default case do not impact those encoded data buffers).
- 0: Disable LOS detection
- 1: Handle LOS decoding errors as attacks
- 2: Lazy LOS decoding
- 3: Discard LOS values
- 4: Ignore/truncate LOS values
switchEmptyValue: Whether to switch key/value pairs while evaluating a rule if key is empty (default: Yes). Nothing is done if key is not empty. In URL 'http://a.b.com/?valueIsHere' ICX engine will handle 'valueIsHere' as value and '' as the parameter name if switch is enabled.
bodyUsed: The body vars size (in kilobytes) beyond which the ICX Engine ignores the data (default: 64, -1 for no limit).
icxCacheEntryCount: Enable regular expression result caching for fast pattern matching. Specify ICX cache entry count per pattern. More the value is high more the reverse proxy will consume memory.
- 0: Disable
- 128: 128 entries
- 256: 256 entries
- 512: 512 entries
- 1024: 1K entries
- 2048: 2K entries
- 4096: 4K entries
- 8192: 8K entries
- 16384: 16K entries
- 65536: 64K entries
- 262144: 256K entries
- 1048576: 1M entries

# Optional Parameters

xml.doc.attr: XML document attribute to read. (optional)
icxCacheMinSize: Minimum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as short value matching is fast enough.
- 1: 1 byte
- 4: 4 bytes
- 8: 8 bytes
- 16: 16 bytes
- 32: 32 bytes
- 64: 64 bytes
- 128: 128 bytes
- 256: 256 bytes
- 512: 512 bytes
icxCacheMaxSize: Maximum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as long value matching reuse from cache is poor.
- 128: 128 bytes
- 256: 256 bytes
- 512: 512 bytes
- 1024: 1K bytes
- 2048: 2K bytes
- 4096: 4K bytes
- 8192: 8K bytes
- 16384: 16K bytes
- 32768: 32K bytes
- 65536: 64K bytes
- 131072: 128K bytes
icxCacheTimeMin: Cache values only when computation time when long. If matching is too fast caching is avoid. Time given in nano seconds.
- 0: Always
- 1: 1 ns
- 4: 4 ns
- 16: 16 ns
- 64: 64 ns
- 256: 256 ns
- 1024: 1024 ns
- 10000: 10 ms
- 100000: 100 ms
- 500000: 500 ms
- 1000000: 1 s

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body.vars (TableAttribute)
http.request.cookies (TableAttribute)
http.request.headers (TableAttribute)
http.request.host (StringAttribute)
http.request.ip-dst (StringAttribute)
http.request.ip-src (StringAttribute)
http.request.method (StringAttribute)
http.request.path (StringAttribute)
http.request.port-dst (StringAttribute)
http.request.protocol (StringAttribute)
http.request.query (StringAttribute)
http.request.query.vars (TableAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

icx.blocking.reason (StringAttribute)
icx.blocking.rules (TableAttribute)
icx.policy.name (StringAttribute)
icx.policy.uid (StringAttribute)
icx.request.blocked (BooleanAttribute)
icx.request.processed (BooleanAttribute)

# Function ActionLibinjectionSqli

Advanced engine checking request parts against SQL Injection.

ActionLibinjectionSqli(Args{
    "canon_attr": "",
    "path": "false",
    "headers": "true",
    "cookies": "true",
    "getvars": "true",
    "postvars": "true",
})
// returns sqli.hits, sqli.request.blocked

1
2
3
4
5
6
7
8
9

# Mandatory Parameters

canon_attr: The normalization attribute to use.
path: Verify the request path.
headers: Verify the request headers.
cookies: Verify the request cookies.
getvars: Verify the request get parameters.
postvars: Verify the request post parameters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

sqli.hits (StringAttribute)
sqli.request.blocked (BooleanAttribute)

# Function ActionCmdiSec

Advanced engine checking request parts against Command Injections.

ActionCmdiSec(Args{
    "canon_attr": "",
    "path": "false",
    "headers": "true",
    "cookies": "true",
    "getvars": "true",
    "postvars": "true",
    "windows": "true",
    "unix": "true",
    "backdoor_mode": "true",
})
// returns cmdi.request.blocked

1
2
3
4
5
6
7
8
9
10
11
12

# Mandatory Parameters

canon_attr: The normalization attribute to use.
path: Verify the request path.
headers: Verify the request headers.
cookies: Verify the request cookies.
getvars: Verify the request get parameters.
postvars: Verify the request post parameters.
windows: Enable windows commands matching
unix: Enable Unix commands matching
backdoor_mode: Enable webshell mode: do not look for escaping characters before a command

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

cmdi.request.blocked (BooleanAttribute)

# Function ActionHTMLSec

Advanced engine checking request parts against Html injections (XSS).

ActionHTMLSec(Args{
    "canon_attr": "",
    "block_script_events": "true",
    "block_html4_tags": "true",
    "block_html5_tags": "true",
    "path": "false",
    "headers": "true",
    "cookies": "true",
    "getvars": "true",
    "postvars": "true",
})
// returns xss.request.blocked

1
2
3
4
5
6
7
8
9
10
11
12

# Mandatory Parameters

canon_attr: The normalization attribute to use.
block_script_events: Block Script events ( 'onMouseOver', 'onClick'...)
block_html4_tags: Block certain HTML4 tags known as potential threats.
block_html5_tags: Block certain HTML5 tags known as potential threats.
path: Verify the request path.
headers: Verify the request headers.
cookies: Verify the request cookies.
getvars: Verify the request get parameters.
postvars: Verify the request post parameters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

xss.request.blocked (BooleanAttribute)

# Function ActionPathSec

Advanced engine checking request parts against Path traversal.

ActionPathSec(Args{
    "canon_attr": "",
    "path": "true",
    "headers": "false",
    "cookies": "false",
    "getvars": "false",
    "postvars": "false",
})
// returns patht.request.blocked

1
2
3
4
5
6
7
8
9

# Mandatory Parameters

canon_attr: The normalization attribute to use.
path: Verify the request path.
headers: Verify the request headers.
cookies: Verify the request cookies.
getvars: Verify the request get parameters.
postvars: Verify the request post parameters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

patht.request.blocked (BooleanAttribute)

# Function ActionCookieCiphering

Cookie Ciphering.

ActionCookieCiphering(Args{
    "cookie-accept": ".*",
})
// returns http.cookie-ciphering.undecipherable, http.cookie-ciphering.undecipherable-cookies

1
2
3
4

# Mandatory Parameters

cookie-accept: A regexp to select cookies to handle.

# Optional Parameters

cookie-reject: A regexp to select the cookies to ignore (session cookies, ie. BWFSESSIDs, are always ignored, no need to filter them here).

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.cookies (TableAttribute)
http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

http.cookie-ciphering.undecipherable (BooleanAttribute)
http.cookie-ciphering.undecipherable-cookies (TableAttribute)

# Function ActionCustomSecurityEvent

Create a custom security alert in security events table.

ActionCustomSecurityEvent(Args{
    "part": "Select",
    "severity": "Notice",
    "reason": "",
    "riskLevel": "",
    "attackFamily": "Select",
    "customMessage": "",
})

1
2
3
4
5
6
7
8

# Mandatory Parameters

part: Part request where the event has been detected.
- No Part: No Part
- SrcIP: SrcIP
- DstIP: DstIP
- DstPort: DstPort
- Method: Method
- Protocol: Protocol
- Hostname: Hostname
- Path: Path
- Query: Query
- Header: Header
- Cookie: Cookie
- Var_GET: Var_GET
- Var_POST: Var_POST
- Var_XML: Var_XML
- Var_TOKEN: Var_TOKEN
- URI: URI
- Multiple: Multiple
severity: Severity of the event.
- 0: Emergency
- 1: Alert
- 2: Critical
- 3: Error
- 4: Warning
- 5: Notice
- 6: Informational
- 7: Debugging
reason: Reason of the Event
riskLevel: Risk level of the event (0 to 10).
attackFamily: Attack family of the event.
- No Attack Family: No Attack Family
- Command Injection: Command Injection
- Cross-Site Scripting (XSS): Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF): Cross-Site Request Forgery (CSRF)
- SQL Injection: SQL Injection
- Other Injection: Other Injection
- Path Traversal: Path Traversal
- File Inclusion: File Inclusion
- Parser Evasion: Parser Evasion
- Buffer Overflow: Buffer Overflow
- Denial of Service: Denial of Service
- Security Misconfiguration: Security Misconfiguration
- Open Redirect: Open Redirect
- Scanner: Scanner
- XML Security: XML Security
- JSON Security: JSON Security
- Other: Other
- Bots and Web Scraping: Bots and Web Scraping
customMessage: The message to log. 512 characters maximum. If an attribute is specified in the message, it will be truncated after 512 characters

# Optional Parameters

cwe: CWE number of the event

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.security.events (SecurityEventsAttribute)

# Function ActionLogSecurity

Send security alert(s) in database.

ActionLogSecurity(Args{
    "logType": "security",
    "truncate": "16384",
    "sendLog": "true",
})
// returns log.failed, log.message, log.sent, log.uid

1
2
3
4
5
6

# Mandatory Parameters

logType: Choose a log type
- security: Security
- botMitigation: Bot Mitigation
truncate: Size (in bytes) above which request fields (e.g. body, header values) are truncated (default: 16384, minimum 128).
sendLog: Choose no if you only want the log message to be set in provided attribute log.message

# Optional Parameters

engineUid: Send alerts thrown by the configured security engine. By default, all alerts (from all engines) will be logged. 'Custom' allows to log a custom message.
- allEngines:
- icxEngine: ICX Engine
- normalizationEngine: Normalization Engine
- blacklistEngine: Blacklist Engine
- scoringlistEngine: Scoringlist Engine
- sqliEngine: Adv. Detection Engine - SQLi
- pathtEngine: Adv. Detection Engine - Path Traversal
- xssEngine: Adv. Detection Engine - XSS
- cmdiEngine: Adv. Detection Engine - CMDi
- cookieCiphering: Cookie Ciphering
- cookieVirtualization: Cookie Virtualization
- cookieTracking: Cookie Tracking
- xmlParsing: XML Parsing
- xmlSchemaValidation: XML Schema Validation
- jsonSchemaValidation: JSON Schema Validation
- sitemapValidation: Sitemap Validation
- custom: Custom
- ipReputation: IP Reputation
tags: Tags to group your security alerts. This field accepts maximum of 16 alpha numeric + '' tags separated by spaces (32 characters maximum). This field can contain workflow expression evaluated at runtime. Notice that, when using workflow expression, values containing characters other than alphanumeric or '' are removed before sending to database.
customMessage: The message to log, 512 characters maximum. If an attribute is specified in the message, it will be truncated after 512 characters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

appliance.name (String)
appliance.uid (String)
backend.host (String)
backend.port (String)
http.request.body (String)
http.request.cooklines (Table)
http.request.headers (Table)
http.request.host (String)
http.request.ip-dst (String)
http.request.ip-src (String)
http.request.method (String)
http.request.path (String)
http.request.port-dst (String)
http.request.protocol (String)
http.request.query (String)
http.request.security.events (SecurityEventsAttribute)
http.request.uid (String)
rproxy.name (String)
rproxy.uid (String)
tunnel.name (String)
tunnel.uid (String)
workflow.name (String)
workflow.uid (String)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

log.failed (BooleanAttribute)
log.message (StringAttribute)
log.sent (BooleanAttribute)
log.uid (StringAttribute)

# Function ActionSecurityEvent

Create a custom security alert in security events table.

ActionSecurityEvent(Args{
    "part": "Select",
    "severity": "Notice",
    "reason": "",
})

1
2
3
4
5

# Mandatory Parameters

part: Part request where the event has been detected.
- No Part: No Part
- SrcIP: SrcIP
- DstIP: DstIP
- DstPort: DstPort
- Method: Method
- Protocol: Protocol
- Hostname: Hostname
- Path: Path
- Query: Query
- Header: Header
- Cookie: Cookie
- Var_GET: Var_GET
- Var_POST: Var_POST
- Var_XML: Var_XML
- Var_TOKEN: Var_TOKEN
- URI: URI
- Multiple: Multiple
severity: Severity of the event.
- 0: Emergency
- 1: Alert
- 2: Critical
- 3: Error
- 4: Warning
- 5: Notice
- 6: Informational
- 7: Debugging
reason: Reason of the Event

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.security.events (SecurityEventsAttribute)

# Function ActionSecurityExceptionManagement

Manage security exceptions using the specified configuration.

ActionSecurityExceptionManagement(Args{
    "configuration": "", // SecurityExceptionConfiguration
})
// returns security.exception.blocked, security.exception.events

1
2
3
4

# Mandatory Parameters

configuration: Security Exception Configuration (profile) to use.

# Optional Parameters

xml.doc.attr: XML document attribute to read. (optional)
decodeLOS: Customize LOS encoded data policy (default case do not impact those encoded data buffers).
- 0: Disable LOS detection
- 1: Handle LOS decoding errors as attacks
- 2: Lazy LOS decoding
- 3: Discard LOS values
- 4: Ignore/truncate LOS values
switchEmptyValue: Whether to switch key/value pairs while evaluating a rule if key is empty (default: Yes). Nothing is done if key is not empty. In URL 'http://a.b.com/?valueIsHere' ICX engine will handle 'valueIsHere' as value and '' as the parameter name if switch is enabled.
bodyUsed: The body vars size (in kilobytes) beyond which the ICX Engine ignores the data (default: 64, -1 for no limit).
icxCacheEntryCount: Enable regular expression result caching for fast pattern matching. Specify ICX cache entry count per pattern. More the value is high more the reverse proxy will consume memory.
- 0: Disable
- 128: 128 entries
- 256: 256 entries
- 512: 512 entries
- 1024: 1K entries
- 2048: 2K entries
- 4096: 4K entries
- 8192: 8K entries
- 16384: 16K entries
- 65536: 64K entries
- 262144: 256K entries
- 1048576: 1M entries
icxCacheMinSize: Minimum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as short value matching is fast enough.
- 1: 1 byte
- 4: 4 bytes
- 8: 8 bytes
- 16: 16 bytes
- 32: 32 bytes
- 64: 64 bytes
- 128: 128 bytes
- 256: 256 bytes
- 512: 512 bytes
icxCacheMaxSize: Maximum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as long value matching reuse from cache is poor.
- 128: 128 bytes
- 256: 256 bytes
- 512: 512 bytes
- 1024: 1K bytes
- 2048: 2K bytes
- 4096: 4K bytes
- 8192: 8K bytes
- 16384: 16K bytes
- 32768: 32K bytes
- 65536: 64K bytes
- 131072: 128K bytes
icxCacheTimeMin: Cache values only when computation time when long. If matching is too fast caching is avoid. Time given in nano seconds.
- 0: Always
- 1: 1 ns
- 4: 4 ns
- 16: 16 ns
- 64: 64 ns
- 256: 256 ns
- 1024: 1024 ns
- 10000: 10 ms
- 100000: 100 ms
- 500000: 500 ms
- 1000000: 1 s
analyse: Whether to keep engine analysis for alerting.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body.vars (TableAttribute)
http.request.cookies (TableAttribute)
http.request.headers (TableAttribute)
http.request.host (StringAttribute)
http.request.ip-dst (StringAttribute)
http.request.ip-src (StringAttribute)
http.request.method (StringAttribute)
http.request.path (StringAttribute)
http.request.port-dst (StringAttribute)
http.request.protocol (StringAttribute)
http.request.query (StringAttribute)
http.request.query.vars (TableAttribute)
http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

security.exception.blocked (BooleanAttribute)
security.exception.events (SecurityEventsAttribute)

# Function ActionSitemapValidation

Validate a request with a given sitemap.

ActionSitemapValidation(Args{
    "sitemap": "", // OpenAPI
})
// returns sitemap.blocked

1
2
3
4

# Mandatory Parameters

sitemap: The sitemap this action will use.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body (StringAttribute)
http.request.body.vars (TableAttribute)
http.request.headers (TableAttribute)
http.request.method (StringAttribute)
http.request.path (StringAttribute)
http.request.query.vars (TableAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

sitemap.blocked (BooleanAttribute)

# Response

# Function ActionGenerateResponse

Generate the response.

ActionGenerateResponse(Args{
    "status": "200",
    "http-1.0": "false",
})
// returns http.response.body, http.response.body.error, http.response.body.error-string, http.response.body.fetched, http.response.cookies, http.response.cooklines, http.response.headers, http.response.host, http.response.port, http.response.protocol, http.response.reason, http.response.status, static.response.failed, static.response.failed.body, static.response.failed.headers, static.response.failed.protocol, static.response.failed.status

1
2
3
4
5

# Mandatory Parameters

status: The response status.
http-1.0: Downgrade the response to HTTP version 1.0 (if not already).

# Optional Parameters

content-default: Use the content associated with the status instead of the one below (not applicable with 200 status where the content is mandatory).
use-static-content: Serve a static content.
static-content-expr: Static Content Path to use (can be an expression, must start with a /)
static-content-fetching: Whether (or not) to fetch the response body now (and possibly store big ones on disk) for further usage in the workflow. [Auto]matic fetching mode won't fetch the body unless (and when) it is used explicitly later in the workflow. [Now] fetching mode can be usefull when further body usage cannot be detected at runtime (eval()uated expression...).
- AUTO: Auto
- ALWAYS: Now
- NEVER: Never
static-content-err-status: Status to use when no static content is found for the request.
content-type: The content type to serve.
content: The content to serve (can be empty).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

http.response.body (StringAttribute)
http.response.body.error (BooleanAttribute)
http.response.body.error-string (StringAttribute)
http.response.body.fetched (BooleanAttribute)
http.response.cookies (TableAttribute)
http.response.cooklines (TableAttribute)
http.response.headers (TableAttribute)
http.response.host (StringAttribute)
http.response.port (StringAttribute)
http.response.protocol (StringAttribute)
http.response.reason (StringAttribute)
http.response.status (StringAttribute)
static.response.failed (BooleanAttribute)
static.response.failed.body (StringAttribute)
static.response.failed.headers (TableAttribute)
static.response.failed.protocol (StringAttribute)
static.response.failed.status (StringAttribute)

# Function ActionProxyRequest

Proxy the request to the backend server.

ActionProxyRequest(Args{
    "ntlm": "false",
    "upgrade": "false",
    "body.fetching": "AUTO",
})
// returns http.response.body, http.response.body.error, http.response.body.error-string, http.response.body.fetched, http.response.cookies, http.response.cooklines, http.response.headers, http.response.host, http.response.port, http.response.protocol, http.response.reason, http.response.status, proxy.response.failed, proxy.response.failed.body, proxy.response.failed.headers, proxy.response.failed.host, proxy.response.failed.port, proxy.response.failed.protocol, proxy.response.failed.status

1
2
3
4
5
6

# Mandatory Parameters

ntlm: Whether to use the NTLM authentication, or not (default).
upgrade: Whether or not (default) to forward Upgrade (e.g. Websocket) requests from the client to the backend, for the latter to be able to switch the protocol (its choice). If/when that happens, since the new protocol lasts until one end closes the connection, this node can't return with an HTTP response and thus the workflow will be aborted (the following nodes will be bypassed).
body.fetching: Whether (or not) to fetch the response body now (and possibly store big ones on disk) for further usage in the workflow. [Auto]matic fetching mode won't fetch the body unless (and when) it is used explicitly later in the workflow. [Now] fetching mode can be usefull when further body usage cannot be detected at runtime (eval()uated expression...).
- AUTO: Auto
- ALWAYS: Now
- NEVER: Never

# Optional Parameters

forward: Whether to forward the NTLM authentication supplied by the client, or not (default).
version: The NTLM version supplied by the proxy (default: NTLMv1).
- V2: NTLMv2
- 2S: NTLM2s
- V1: NTLMv1
- L2: LMv2
- LM: LMv1
login: The NTLM login supplied by the proxy
password: The NTLM password supplied by the proxy
domain: The NTLM domain supplied by the proxy
workstation: The NTLM workstation supplied by the proxy
negotiateAlwaysSign: Whether to set the Negotiate Always Sign flag in the NTLM request, or not (default).
bind: Whether to bind the backend's connection to the client's one (default), or not.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body (StringAttribute)
http.request.headers (TableAttribute)
http.request.hostname (StringAttribute)
http.request.ip-dst (StringAttribute)
http.request.method (StringAttribute)
http.request.path (StringAttribute)
http.request.port-dst (StringAttribute)
http.request.protocol (StringAttribute)
http.request.query (StringAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

http.response.body (StringAttribute)
http.response.body.error (BooleanAttribute)
http.response.body.error-string (StringAttribute)
http.response.body.fetched (BooleanAttribute)
http.response.cookies (TableAttribute)
http.response.cooklines (TableAttribute)
http.response.headers (TableAttribute)
http.response.host (StringAttribute)
http.response.port (StringAttribute)
http.response.protocol (StringAttribute)
http.response.reason (StringAttribute)
http.response.status (StringAttribute)
proxy.response.failed (BooleanAttribute)
proxy.response.failed.body (StringAttribute)
proxy.response.failed.headers (TableAttribute)
proxy.response.failed.host (StringAttribute)
proxy.response.failed.port (StringAttribute)
proxy.response.failed.protocol (StringAttribute)
proxy.response.failed.status (StringAttribute)

# Function ActionSoapFaultResponse

Generate a soap-fault response.

ActionSoapFaultResponse(Args{
    "http-1.0": "false",
    "status": "500",
    "fault.code": "soap:Server",
})
// returns http.response.body, http.response.body.error, http.response.body.error-string, http.response.body.fetched, http.response.cookies, http.response.cooklines, http.response.headers, http.response.host, http.response.port, http.response.protocol, http.response.reason, http.response.status

1
2
3
4
5
6

# Mandatory Parameters

http-1.0: Use a HTTP version 1.0 response instead of 1.1.
status: The response status.
fault.code: The Soap Message to send

# Optional Parameters

fault.string: The Soap Message to send

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

http.response.body (StringAttribute)
http.response.body.error (BooleanAttribute)
http.response.body.error-string (StringAttribute)
http.response.body.fetched (BooleanAttribute)
http.response.cookies (TableAttribute)
http.response.cooklines (TableAttribute)
http.response.headers (TableAttribute)
http.response.host (StringAttribute)
http.response.port (StringAttribute)
http.response.protocol (StringAttribute)
http.response.reason (StringAttribute)
http.response.status (StringAttribute)

# API security

# Function ActionJSONAttributeGet

Extract a JSON attribute entry.

ActionJSONAttributeGet(Args{
    "jsonattr": "",
    "name": "",
})
// returns ${params[name]}, json.err_message, json.failure

1
2
3
4
5

# Mandatory Parameters

jsonattr: A input JSON attribute name is required.
name: A output JSON attribute name is required.

# Optional Parameters

jsonPointer: The JSON Pointer to filter the key to get (see RFC 6901).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (JsonAttribute)
json.err_message (StringAttribute)
json.failure (BooleanAttribute)

# Function ActionJSONAttributeSet

Set a JSON attribute entry.

ActionJSONAttributeSet(Args{
    "name": "",
    "value.type": "",
})
// returns ${params[name]}, json.err_message, json.failure

1
2
3
4
5

# Mandatory Parameters

name: A JSON attribute name is required.
value.type:
- null: Null
- bool: Boolean
- int: Number (Int)
- double: Number (double)
- str: String
- jsonstr: JSON
- jsonattr: JSON Attribute

# Optional Parameters

jsonPointer: The JSON Pointer to filter the key to set (see RFC 6901).
value.bool:
- true: true
- false: false
value.int: An integer is required.
value.double: A float is required.
value.str: The string value to set or a reference to the entire attribute to set (with key "${}").
value.jsonstr: The JSON to set or a reference to the entire attribute to set (with key "${}").
value.jsonattr: A JSON attribute is required.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (JsonAttribute)
json.err_message (StringAttribute)
json.failure (BooleanAttribute)

# Function ActionJSONAttributeUnset

Unset a JSON attribute entry.

ActionJSONAttributeUnset(Args{
    "name": "",
    "jsonPointer": "",
})
// returns json.err_message, json.failure

1
2
3
4
5

# Mandatory Parameters

name: A JSON attribute name is required.
jsonPointer: The JSON Pointer to reference key to unset (see RFC 6901).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

json.err_message (StringAttribute)
json.failure (BooleanAttribute)

# Function ActionJSONToTable

Parse JSON data and fill a table from its content.

ActionJSONToTable(Args{
    "out.table": "",
    "input": "",
    "separator": "/",
})
// returns ${params[out.table]}, json.to.table.err_message, json.to.table.failure

1
2
3
4
5
6

# Mandatory Parameters

out.table: The name of the table to create or complete.
input: Enter the JSON data to parse
separator: Sets the separator between elements

# Optional Parameters

null: Choose a value to set in the table when a null attribute is found
count.arrays: Set to yes if you want array names to be suffixed by the index. The separator will be ':'

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[out.table]} (TableAttribute)
json.to.table.err_message (StringAttribute)
json.to.table.failure (BooleanAttribute)

# Function ActionJWTGenerate

Generate a JSON Web Token.

ActionJWTGenerate(Args{
    "json.payload": "",
    "jwt.name": "",
    "jwt.sign.algorithm": "HS256",
})
// returns ${params[jwt.name]}, jwt.generate.err_message, jwt.generate.failure

1
2
3
4
5
6

# Mandatory Parameters

json.payload: The JSON payload to use.
jwt.name: The attribute name of the generated JWT
jwt.sign.algorithm: Algorithm used for signature.
- HS256: HS256 (HMAC using SHA-256)
- HS384: HS384 (HMAC using SHA-384)
- HS512: HS512 (HMAC using SHA-512)
- RS256: RS256 (RSASSA-PKCS1-v1_5 using SHA-256)
- RS384: RS384 (RSASSA-PKCS1-v1_5 using SHA-384)
- RS512: RS512 (RSASSA-PKCS1-v1_5 using SHA-512)
- PS256: PS256 (RSASSA-PSS using and MGF1 with SHA-256)
- PS384: PS384 (RSASSA-PSS using and MGF1 with SHA-384)
- PS512: PS512 (RSASSA-PSS using and MGF1 with SHA-512)
- NONE: None (insecure, not recommended)

# Optional Parameters

jwt.regclaim.iss: Issuer. Override existing "Issuer" claims in json payload.
jwt.regclaim.sub: Subject. Override existing "Subject" claims in json payload.
jwt.regclaim.aud: Audience(s).Audience can be a string if one audience or an array if one or more audience. Override existing "Audience(s)" claims in json payload.
jwt.regclaim.exp: Expiration Time (timestamp in second). ex: ${calc(calc(time(), '/', '1000000'), '+', '120')}. Override existing "" claims in json payload.
jwt.regclaim.nbf: Not Before (timestamp in second). ex: ${calc(calc(time(), '/', '1000000'), '-', '60')}. Override existing "Not Before" claims in json payload.
jwt.regclaim.iat: Issued At (timestamp in second). ex: ${calc(time(), '/', '1000000')}. Override existing "" claims At in json payload.
jwt.regclaim.jti: JWT ID. Override existing "JWT ID" claims in json payload.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[jwt.name]} (StringAttribute)
jwt.generate.err_message (StringAttribute)
jwt.generate.failure (BooleanAttribute)

# Function ActionJWTParsing

Parse a JSON Web Token to extract a JSON payload and a JSON header.

ActionJWTParsing(Args{
    "jwt": "",
    "prefix": "json.parsing",
    "jwt.sign.algorithm": "AUTODETECT",
})
// returns ${params[prefix]}.header, ${params[prefix]}.payload, jwt.parsing.err_message, jwt.parsing.failure, jwt.parsing.signature.err_message, jwt.parsing.signature.failure

1
2
3
4
5
6

# Mandatory Parameters

jwt: The value of the token to extract. The string value to set or a reference to the entire attribute to set (with key "${}"). Example: ${http.request.query.vars["jwt"]}
prefix: Specifies the prefix for the JSON provided attributes <prefix>.payload|header
jwt.sign.algorithm: Algorithm used for signature.
- AUTODETECT: Auto detect (use algorithm specified in claim)
- HS256: HS256 (HMAC using SHA-256)
- HS384: HS384 (HMAC using SHA-384)
- HS512: HS512 (HMAC using SHA-512)
- RS256: RS256 (RSASSA-PKCS1-v1_5 using SHA-256)
- RS384: RS384 (RSASSA-PKCS1-v1_5 using SHA-384)
- RS512: RS512 (RSASSA-PKCS1-v1_5 using SHA-512)
- PS256: PS256 (RSASSA-PSS using and MGF1 with SHA-256)
- PS384: PS384 (RSASSA-PSS using and MGF1 with SHA-384)
- PS512: PS512 (RSASSA-PSS using and MGF1 with SHA-512)
- NONE: None (insecure, not recommended)

# Optional Parameters

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[prefix]}.header (JsonAttribute)
${params[prefix]}.payload (JsonAttribute)
jwt.parsing.err_message (StringAttribute)
jwt.parsing.failure (BooleanAttribute)
jwt.parsing.signature.err_message (StringAttribute)
jwt.parsing.signature.failure (BooleanAttribute)

# Function ActionXMLGet

Get the table of an XPath expression result.

ActionXMLGet(Args{
    "xml.doc": "xml.parsing.doc",
    "xml.path": "",
    "prefix": "xml.get",
})
// returns ${params[prefix]}.error, ${params[prefix]}.failed, ${params[prefix]}.table

1
2
3
4
5
6

# Mandatory Parameters

xml.doc: Specifies an attribute containing the xml document
xml.path: The path expressions to navigate in xml documents
prefix: Specifies the prefix for the provided attributes <prefix>.table|failed|error

# Optional Parameters

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[prefix]}.error (StringAttribute)
${params[prefix]}.failed (BooleanAttribute)
${params[prefix]}.table (TableAttribute)

# Function ActionXMLModify

Modify an XML Document.

ActionXMLModify(Args{
    "xml.doc": "",
    "xml.xpath": "",
    "action": "Action",
})
// returns xml.modify.err_message, xml.modify.failure, xml.modify.nb_nodes

1
2
3
4
5
6

# Mandatory Parameters

xml.doc: Specifies an attribute containing the xml document
xml.xpath: The xpath expressions selecting nodes to modify
action: Action to do. Note that 'Add' action will only work on element nodes. Attributes and contents will be silently ignored.
- Add: Add
- Modify: Modify
- Delete: Delete

# Optional Parameters

filter: Filter node types
- Node: Select only XML Element nodes
- Attribute: Select only XML Attribute nodes
- Text: Select only XML Content nodes
what: What to add
- Content/Attributes: Content and/or Attributes
- NewNode: New Node
- ImportXML: Import from a workflow XML Attribute
- ImportTxt: Import from a text xml
add.txt_or_attr.attr: Add attributes to node
add.txt_or_attr.txt: Add Content to node
add.newnode.name: Name of the new node to add
add.newnode.ns: Namespace of the new node to add
add.newnode.nsurl: URL of namespace of the new node to add.
add.newnode.attr: Attributes of the new node to add
add.newnode.text: Content of the new node to add
add.importXML.xml: Source document to import
add.importXML.xpath: XPath to select nodes to import
add.importTxt.xml: XML Text to parse and import
add.importTxt.skip_root: Skip root and just import all of its children
add.where: Where to add
- Before: Before current
- After: After current
- Child: as Child of current
mod.node.replaceby: Replace By
- ImportXML: Import from XML Attribute
- ImportTxt: Import from a text xml
- Simple: Simple replace
mod.node.importXML: Source XML which will replace current node
mod.node.importXPath: This XPath will select nodes on Source XML which will replace current node.
mod.node.importTxt: XML Text to parse, it will replace current node
mod.node.skip_root: Skip root and just import all of its children
mod.node.name: New name of node.
mod.node.ns: New name space of node.
mod.node.nsurl: New URL name space of node.
mod.node.attr: Attributes update for current node
mod.node.attr.attr_fullReplace: Remove all old attributes and insert new attributes (Yes), or just add or modify current attributes with new ones
mod.node.text: New content
mod.attr.name: Modify attribute name
mod.attr.text: Modify attribute value
mod.text.text: Modify content

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

xml.modify.err_message (StringAttribute)
xml.modify.failure (BooleanAttribute)
xml.modify.nb_nodes (StringAttribute)

# Function ActionXMLParsing

Analyze an XML message and check that it conforms to the standard and other criteria such as size, message depth, etc.

ActionXMLParsing(Args{
    "prefix": "xml.parsing",
    "source": "Attr",
    "size_max": "0",
    "nested_max": "30",
    "allow_internal_entities": "true",
    "allow_external_entities": "false",
})
// returns ${params[prefix]}.doc, ${params[prefix]}.error, ${params[prefix]}.failed

1
2
3
4
5
6
7
8
9

# Mandatory Parameters

prefix: Specifies the prefix of the provided attributes <prefix>.doc|failed|error
source: Choose to parse either from an attribute, or a plain text
- Attr: Attribute
- HardCoded: Text
size_max: Specifies the maximum size for the XML document in bytes (0 for unlimited)
nested_max: Specifies the maximum number of nested elements allowed (0 for unlimited, default is 30)
allow_internal_entities: Choose if you want to allow internal entity declarations (Allowed by default)
allow_external_entities: Choose if you want to allow external entity declarations. (Denied by default)

# Optional Parameters

name: Specifies an attribute containing the XML text to parse.
xml: Plain XML text to parse.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[prefix]}.doc (XmlDocAttribute)
${params[prefix]}.error (StringAttribute)
${params[prefix]}.failed (BooleanAttribute)

# Function ActionXMLSign

Sign an XML Document.

ActionXMLSign(Args{
    "xmldoc": "",
    "sign.algorithm": "RSA_SHA256",
    "digest.algorithm": "SHA256",
    "add_transform.method": "NONE",
    "canon.method": "EXCL",
    "keep_empty_uri": "false",
    "whole.document": "false",
})
// returns xml.sign.err_message, xml.sign.failure, xml.sign.nb_nodes

1
2
3
4
5
6
7
8
9
10

# Mandatory Parameters

xmldoc: Specifies an attribute containing the xml document
sign.algorithm: The algorithm used to sign the XML message.
- RSA_SHA256: RSA-SHA256
- RSA_SHA512: RSA-SHA512
- RSA_RIPEMD160: RSA-RipeMD160
- HMAC_SHA256: HMAC-SHA256
- HMAC_SHA512: HMAC-SHA512
- HMAC_RIPEMD160: HMAC-RipeMD160
- RSA_SHA1: RSA-SHA1 (insecure, not recommended)
- RSA_MD5: RSA-MD5 (insecure, not recommended)
- DSA_SHA1: DSA-SHA1 (insecure, not recommended)
- HMAC_SHA1: HMAC-SHA1 (insecure, not recommended)
- HMAC_MD5: HMAC-MD5 (insecure, not recommended)
digest.algorithm: The algorithm used to generate XML message digest.
- SHA256: SHA256
- SHA512: SHA512
- MD5: MD5 (insecure, not recommended)
- SHA1: SHA1 (insecure, not recommended)
- RIPEMD160: RipeMD160 (insecure, not recommended)
add_transform.method: The additionnal transform method used.
- NONE:
- EXCL_W_COMMENT: Exclusive C14N with comments
- EXCL: Exclusive C14N without comments
canon.method: The method used for canonicalization.
- EXCL: Exclusive C14N without comments
- EXCL_W_COMMENT: Exclusive C14N with comments
- INCL: Inclusive C14N without comments
- INCL_W_COMMENT: Inclusive C14N with comments
keep_empty_uri: When Id tag is empty, this parameter tells to add en empty URI attribute to the Reference node of the XML Signature.
whole.document: Choose if you want to sign the whole document or only specified element

# Optional Parameters

hmac.key: Select the HMAC key.
provide.cert: Provides, or not, the X509 Certificate in the signature data
provide.key: Provides, or not, the key value. Should only be used when signing with a private key.
id: Set the 'Id' tag name. Default is 'xml:id'.
signature_xpath: The XPath expression to find the node before which the signature will be inserted, leave blank to insert as last child of the signed node
xpath: The XPath expressions selecting the element to sign

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

xml.sign.err_message (StringAttribute)
xml.sign.failure (BooleanAttribute)
xml.sign.nb_nodes (StringAttribute)

# Function ActionXSLTApply

Apply an XSLT to an XML Document.

ActionXSLTApply(Args{
    "attr_src": "",
    "attr_name": "",
    "xslt.source": "Source",
})
// returns ${params[attr_name]}, xslt.apply.err_message, xslt.apply.failure

1
2
3
4
5
6

# Mandatory Parameters

attr_src: XML to transform
attr_name: Resulting XML
xslt.source: Select XSLT Source
- WfAttr: From Workflow-xml-attribute
- Profile: From an XML File Profile

# Optional Parameters

xslt: XSLT to apply
xslt_params: Parameters to give to XSLT

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[attr_name]} (XmlDocAttribute)
xslt.apply.err_message (StringAttribute)
xslt.apply.failure (BooleanAttribute)

# Attributes

# Function ActionAttributesSplit

Create a table of all attributes with the given prefix.

ActionAttributesSplit(Args{
    "name": "",
    "prefix": "",
})
// returns ${params[name]}

1
2
3
4
5

# Mandatory Parameters

name: The name of the table attribute to create or overwrite.
prefix: The prefix of the attributes to be added to the table.

# Optional Parameters

key: The key under which the attributes should be added, or empty to use the entire table.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (TableAttribute)

# Function ActionSecurityEventsToTable

Set a table from a security events attribute.

ActionSecurityEventsToTable(Args{
    "name": "",
    "value": "",
})
// returns ${params[name]}

1
2
3
4
5

# Mandatory Parameters

name: The name of the table attribute to create or overwrite.
value: The name of the security events attribute to copy in the table.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (TableAttribute)

# Function ActionTableAttributeAdd

Add a table attribute entry.

ActionTableAttributeAdd(Args{
    "name": "",
    "key": "",
    "value": "",
})
// returns ${params[name]}

1
2
3
4
5
6

# Mandatory Parameters

name: A table attribute name is required (eg: http.request.headers).
key: The key to add in the table or "${}" to add an entire table.
value: The value to add or a reference to the entire table to add (with key "${}").

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (TableAttribute)

# Function ActionTableAttributeSet

Set a table attribute entry.

ActionTableAttributeSet(Args{
    "name": "",
    "key": "",
})
// returns ${params[name]}

1
2
3
4
5

# Mandatory Parameters

name: The table attribute name. It will be created if it doesn't exist.
key: The key to set in the table or "${}" to set an entire table.

# Optional Parameters

capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.
capture_re: The regexp to capture the original value
modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
value: The value to set or a reference to the entire table to set (with key "${}"). When capture mode is enabled, this is the substitution regexp.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[name]} (TableAttribute)

# Function ActionTableAttributeUnset

Unset a table attribute entry.

ActionTableAttributeUnset(Args{
    "name": "",
    "key": "",
})

1
2
3
4

# Mandatory Parameters

name: The table attribute on which the entry will be removed.
key: The key to remove from the table or "${}" to clear the entire table.

# Function ActionTableClear

Remove all table entries.

ActionTableClear(Args{
    "name": "",
})

1
2
3

# Mandatory Parameters

name: Table attribute on which all entries will be removed.

# Miscellaneous

# Function ActionCharTranslation

Translate from an encoding to an other.

ActionCharTranslation(Args{
    "in.text": "",
    "in.encoding": "",
    "out.encoding": "",
    "out.text": "",
})
// returns ${params[out.text]}, char.translation.err_message, char.translation.failure

1
2
3
4
5
6
7

# Mandatory Parameters

in.text: Input text to convert
in.encoding: Encoding of input text
out.encoding: Convert Input text to the selected encoding
out.text: Result will be stored in the specified attribute

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

${params[out.text]} (StringAttribute)
char.translation.err_message (StringAttribute)
char.translation.failure (BooleanAttribute)

# Function ActionSubRequest

Run a subrequest on the given host.

ActionSubRequest(Args{
    "ip": "${backend.host}",
    "port": "${backend.port}",
    "ssl": "false",
    "method": "GET",
    "url": "${url_of(http.request.path, http.request.query)}",
})
// returns http.sub.response.body, http.sub.response.body.error, http.sub.response.body.error-string, http.sub.response.body.fetched, http.sub.response.cookies, http.sub.response.cooklines, http.sub.response.headers, http.sub.response.host, http.sub.response.port, http.sub.response.protocol, http.sub.response.reason, http.sub.response.status, sub.response.failed, sub.response.failed.body, sub.response.failed.cookies, sub.response.failed.headers, sub.response.failed.host, sub.response.failed.port, sub.response.failed.protocol, sub.response.failed.status

1
2
3
4
5
6
7
8

# Mandatory Parameters

ip: The destination IP or hostname of the subrequest.
port: The destination port of the subrequest.
ssl: Choose if you want to use ssl. (Disabled by default)
method: The HTTP method of the subrequest.
- GET: GET
- HEAD: HEAD
- POST: POST
- PUT: PUT
- CUSTOM:
url: The URL (/path?query) of the subrequest.

# Optional Parameters

host: The HTTP header Host for the subrequest.
method-custom: The custom method to use.
headers: The HTTP headers of the subrequest.
cookies: The HTTP cookies of the subrequest.
content-type: The HTTP content-type to use.
body: The HTTP body of the subrequest.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

http.sub.response.body (StringAttribute)
http.sub.response.body.error (BooleanAttribute)
http.sub.response.body.error-string (StringAttribute)
http.sub.response.body.fetched (BooleanAttribute)
http.sub.response.cookies (TableAttribute)
http.sub.response.cooklines (TableAttribute)
http.sub.response.headers (TableAttribute)
http.sub.response.host (StringAttribute)
http.sub.response.port (StringAttribute)
http.sub.response.protocol (StringAttribute)
http.sub.response.reason (StringAttribute)
http.sub.response.status (StringAttribute)
sub.response.failed (BooleanAttribute)
sub.response.failed.body (StringAttribute)
sub.response.failed.cookies (TableAttribute)
sub.response.failed.headers (TableAttribute)
sub.response.failed.host (StringAttribute)
sub.response.failed.port (StringAttribute)
sub.response.failed.protocol (StringAttribute)
sub.response.failed.status (StringAttribute)

# Function ActionSynchronizeVariables

Set a body and a query string from the given attributes.

ActionSynchronizeVariables(Args{
    "method.action": "Dont",
    "contentType.action": "Dont",
})
// returns synchronize.variables.err_message, synchronize.variables.failure

1
2
3
4
5

# Mandatory Parameters

method.action: Leave unchanged or force a specific method.
- Dont: Don't modify
- GET: Force method to GET
- POST: Force method to POST
contentType.action: Leave unchanged, unset or modify the request Content-Type.
- Dont: Don't modify
- reset: No Content-Type
- application/x-www-form-urlencoded: application/x-www-form-urlencoded
- multipart/form-data: multipart/form-data
- multipart/related: multipart/related

# Optional Parameters

contentType.which: Where to find content-type options such as charset, boundary, start, ...
- extracted: Use Content-Type options from http.request.body.types
- current: Use Content-Type options from http.request.headers['Content-Type']
- custom: Use custom Content-Type options
- none: Dont set options
ct.options: Set options to Content-Type, such as 'charset: utf-8' or 'boundary=012345; type="application/xop+xml"; start="<0.urn:uuid:0123456@apache.org>";'

# Required Attributes

Required attributes are global variables that are needed for this function to work.

http.request.body.headers (TableAttribute)
http.request.body.types (TableAttribute)
http.request.body.vars (TableAttribute)
http.request.headers (TableAttribute)
http.request.query.vars (TableAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

synchronize.variables.err_message (StringAttribute)
synchronize.variables.failure (BooleanAttribute)

# Function ActionUserLog

Log a user message.

ActionUserLog(Args{
    "log_message": "",
    "log_level": "NOTICE",
    "expend_newline": "true",
    "log_attributes": "false",
})

1
2
3
4
5
6

# Mandatory Parameters

log_message: The message to log
log_level: The log level to use (the default level NOTICE is always logged, whatever the tunnel's level is).
- DEBUG: Debug
- NOTICE: Notice
- ERR: Error
- CRIT: Critical
- ALERT: Alert
- EMERG: Emergency
expend_newline: Replace the newline character(s) by '\n' (single line logging).
log_attributes: Log the workflow attributes after the message (for debugging purpose).

# Function ActionX509Extract

Extract values from X509 certificate. Retreived values are readable with<br/>expressions such as ${x509.certificate}["version"]. Dump all values<br/>using ${string_of("x509.certificate")}

ActionX509Extract(Args{
    "x509.value": "",
})
// returns x509.certificate, x509.success

1
2
3
4

# Mandatory Parameters

x509.value: X509 certificate parameter value name. (base64 encoded content supported)

# Optional Parameters

x509.length: X509 certificate parameter length (optional with base64 but needed in case of binary data).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

x509.certificate (TableAttribute)
x509.success (BooleanAttribute)

← OpenAPI