# Workflow as Code Reference

# Index

# Functions list

# Data Modification

# Function ActionBodyVariableAdd

Add a body variable.

ActionBodyVariableAdd(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the variable to create

# Optional Parameters

  • value: The value to set for this variable.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body.vars (TableAttribute)

# Function ActionBodyVariableSet

Set a body variable.

ActionBodyVariableSet(Args{
    "key": "",
    "capture": "false",
})
1
2
3
4

# Mandatory Parameters

  • key: The name of the variable to set
  • capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

  • capture_re: The regexp to capture the original value
  • modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
  • value: The value to set for this variable. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body.vars (TableAttribute)

# Function ActionBodyVariableUnset

Unset a body variable.

ActionBodyVariableUnset(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the variable to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body.vars (TableAttribute)

# Function ActionCookieAdd

Add a new cookie in the cookie table.

ActionCookieAdd(Args{
    "name": "",
    "cookie-name": "",
    "cookie-secure": "false",
    "cookie-httpOnly": "false",
})
// returns ${params[name]}
1
2
3
4
5
6
7

# Mandatory Parameters

  • name: An attribute name is required (eg: http.request.cookies).
  • cookie-name: The name of the cookie (eg: PHPSESSID).
  • cookie-secure: The cookie secure flag
  • cookie-httpOnly: The cookie httpOnly flag

# Optional Parameters

  • cookie-value: The value to set for the cookie.
  • cookie-path: The cookie path
  • cookie-domain: The cookie domain
  • cookie-attributes: The custom cookie attributes(s)/flag(s) (separated by 😉

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (TableAttribute)

# Function ActionCookieSet

Set a new cookie in the cookie table.

ActionCookieSet(Args{
    "name": "",
    "cookie-name": "",
    "cookie-secure": "false",
    "cookie-httpOnly": "false",
})
// returns ${params[name]}
1
2
3
4
5
6
7

# Mandatory Parameters

  • name: An attribute name is required (eg: http.request.cookies).
  • cookie-name: The name of the cookie (eg: PHPSESSID).
  • cookie-secure: The cookie secure flag
  • cookie-httpOnly: The cookie httpOnly flag

# Optional Parameters

  • cookie-value: The value to set for the cookie.
  • cookie-path: The cookie path
  • cookie-domain: The cookie domain
  • cookie-attributes: The custom cookie attributes(s)/flag(s) (separated by 😉

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (TableAttribute)

# Function ActionCryptoSymDecrypt

Decrypt data using a symmetric key.

ActionCryptoSymDecrypt(Args{
    "decrypt.input": "",
    "decrypt.algorithm": "AES256_cbc",
    "decrypt.key": "",
})
// returns decrypt.err_message, decrypt.failure, decrypt.output
1
2
3
4
5
6

# Mandatory Parameters

  • decrypt.input: Plain text to decrypt.
  • decrypt.algorithm: Decryption algorithm used.
    • AES128_cbc: AES128 cbc
    • AES128_cfb128: AES128 cfb128
    • AES128_ofb: AES128 ofb
    • AES128_ctr: AES128 ctr
    • AES128_ccm: AES128 ccm (Authenticated)
    • AES128_gcm: AES128 gcm (Authenticated)
    • AES128_ecb: AES128 ecb (insecure, not recommended)
    • AES128_cfb1: AES128 cfb1 (insecure, not recommended)
    • AES128_cfb8: AES128 cfb8 (insecure, not recommended)
    • AES192_cbc: AES192 cbc
    • AES192_cfb128: AES192 cfb128
    • AES192_ofb: AES192 ofb
    • AES192_ctr: AES192 ctr
    • AES192_ccm: AES192 ccm (Authenticated)
    • AES192_gcm: AES192 gcm (Authenticated)
    • AES256_cbc: AES256 cbc
    • AES256_cfb128: AES256 cfb128
    • AES256_ofb: AES256 ofb
    • AES256_ctr: AES256 ctr
    • AES256_ccm: AES256 ccm (Authenticated)
    • AES256_gcm: AES256 gcm (Authenticated)
    • AES192_ecb: AES192 ecb (insecure, not recommended)
    • AES192_cfb1: AES192 cfb1 (insecure, not recommended)
    • AES192_cfb8: AES192 cfb8 (insecure, not recommended)
    • AES256_ecb: AES256 ecb (insecure, not recommended)
    • AES256_cfb1: AES256 cfb1 (insecure, not recommended)
    • AES256_cfb8: AES256 cfb8 (insecure, not recommended)
  • decrypt.key: Decryption key as a binary string. Warning: key size is constrained by algorithm type selected (128, 192 or 256 bits).

# Optional Parameters

  • decrypt.salt: Random binary string used to compute encryption. Mandatory for decryption.
  • decrypt.aad: Additional Authentication Data for encryption specified as binary string.
  • decrypt.tag: TAG (MAC) used to validate decryption.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • decrypt.err_message (StringAttribute)
  • decrypt.failure (BooleanAttribute)
  • decrypt.output (StringAttribute)

# Function ActionCryptoSymEncrypt

Encrypt data using a symmetric key.

ActionCryptoSymEncrypt(Args{
    "encrypt.input": "",
    "encrypt.algorithm": "AES256_cbc",
})
// returns encrypt.aad, encrypt.err_message, encrypt.failure, encrypt.key, encrypt.output, encrypt.salt, encrypt.tag
1
2
3
4
5

# Mandatory Parameters

  • encrypt.input: Plain text to encrypt.
  • encrypt.algorithm: Encryption algorithm used.
    • AES128_cbc: AES128 cbc
    • AES128_cfb128: AES128 cfb128
    • AES128_ofb: AES128 ofb
    • AES128_ctr: AES128 ctr
    • AES128_ccm: AES128 ccm (Authenticated)
    • AES128_gcm: AES128 gcm (Authenticated)
    • AES128_ecb: AES128 ecb (insecure, not recommended)
    • AES128_cfb1: AES128 cfb1 (insecure, not recommended)
    • AES128_cfb8: AES128 cfb8 (insecure, not recommended)
    • AES192_cbc: AES192 cbc
    • AES192_cfb128: AES192 cfb128
    • AES192_ofb: AES192 ofb
    • AES192_ctr: AES192 ctr
    • AES192_ccm: AES192 ccm (Authenticated)
    • AES192_gcm: AES192 gcm (Authenticated)
    • AES256_cbc: AES256 cbc
    • AES256_cfb128: AES256 cfb128
    • AES256_ofb: AES256 ofb
    • AES256_ctr: AES256 ctr
    • AES256_ccm: AES256 ccm (Authenticated)
    • AES256_gcm: AES256 gcm (Authenticated)
    • AES192_ecb: AES192 ecb (insecure, not recommended)
    • AES192_cfb1: AES192 cfb1 (insecure, not recommended)
    • AES192_cfb8: AES192 cfb8 (insecure, not recommended)
    • AES256_ecb: AES256 ecb (insecure, not recommended)
    • AES256_cfb1: AES256 cfb1 (insecure, not recommended)
    • AES256_cfb8: AES256 cfb8 (insecure, not recommended)

# Optional Parameters

  • encrypt.key: Encryption key as a binary string, keep blank for automatic random value computation. Warning: key size is constrained by algorithm type selected (128, 192 or 256 bits).
  • encrypt.salt: Salt/IV as binary string, keep blank for automatic random value computation. Warning: salt/IV size is constrained by algorithm type selected.
  • encrypt.aad: Additional authentication data for encryption specified as binary string.
  • encrypt.tag: Encryption TAG size (MAC).
    • 4: 4
    • 6: 6
    • 10: 10
    • 12: 12
    • 14: 14
    • 16: 16

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • encrypt.aad (StringAttribute)
  • encrypt.err_message (StringAttribute)
  • encrypt.failure (BooleanAttribute)
  • encrypt.key (StringAttribute)
  • encrypt.output (StringAttribute)
  • encrypt.salt (StringAttribute)
  • encrypt.tag (StringAttribute)

# Function ActionDigest

Compute digest from data.

ActionDigest(Args{
    "digest.input": "",
    "digest.algorithm": "SHA256",
})
// returns digest.err_message, digest.failure, digest.output
1
2
3
4
5

# Mandatory Parameters

  • digest.input: Input data on which digest needs to be computed.
  • digest.algorithm: Digest algorithm to compute.
    • SHA224: SHA224
    • SHA256: SHA256
    • SHA384: SHA384
    • SHA512: SHA512
    • WHIRLPOOL: WHIRLPOOL
    • MD4: MD4 (insecure, not recommended)
    • MD5: MD5 (insecure, not recommended)
    • RIPEMD160: RIPEMD160 (insecure, not recommended)
    • SHA1: SHA1 (insecure, not recommended)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • digest.err_message (StringAttribute)
  • digest.failure (BooleanAttribute)
  • digest.output (StringAttribute)

# Function ActionExtractExtraParameters

Extract parameters from a user-defined string.

ActionExtractExtraParameters(Args{
    "table.name": "",
    "input": "",
    "pv-pair.delimiter": "",
    "pv.delimiter": "",
    "empty.params": "false",
})
// returns ${params[table.name]}, extract.extra.parameters.err_message, extract.extra.parameters.failed
1
2
3
4
5
6
7
8

# Mandatory Parameters

  • table.name: An attribute name is required (eg: http.request.query.vars).
  • input: Input string where parameters are to be parsed.
  • pv-pair.delimiter: The separator between two <param-value> pairs.
  • pv.delimiter: The separator between a param and its value.
  • empty.params: Ignore parameters with no names

# Optional Parameters

  • start: Starting pattern. Will search for <variable-value> pairs from here.
  • end: Ending pattern. Will stop searching for <variable-value> pairs from here.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[table.name]} (TableAttribute)
  • extract.extra.parameters.err_message (StringAttribute)
  • extract.extra.parameters.failed (BooleanAttribute)

# Function ActionHostnameMapping

Replace hostnames on cookies, headers and body, in an html document.

ActionHostnameMapping(Args{
    "public.hostname": "",
    "private.hostname": "",
    "do.cookies": "false",
    "do.body": "false",
    "do.headers": "false",
})
1
2
3
4
5
6
7

# Mandatory Parameters

  • public.hostname: The public hostname, which is the replacement of the private hostname
  • private.hostname: The private hostname, which will be replaced by public hostname
  • do.cookies: Change hosts in cookies
  • do.body: Change hosts in body
  • do.headers: Change hosts in headers

# Optional Parameters

  • force.http: Works in BODY ONLY. Change hosts only when prefixed with http:// or https://
  • all.headers: Check all headers for host change
  • custom.headers: Specify a list a headers to check for host change. It must be a comma or space separated header list.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.response.body (StringAttribute)
  • http.response.cookies (TableAttribute)
  • http.response.headers (TableAttribute)

# Function ActionModifyContent

Response content modification (type text/* only).

ActionModifyContent(Args{
    "src.type": "string",
    "src": "",
    "dst": "",
})
1
2
3
4
5

# Mandatory Parameters

  • src.type: Source type: simple string or regular expression.
    • string: String
    • regex: RegularExpression
  • src: Source text to be replaced (type: string), or regular expression to change when matches (type: regex)
  • dst: Replacement text. Can contain captures from regex with \1, \2, ...

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.response.body (StringAttribute)
  • http.response.headers (TableAttribute)

# Function ActionQueryVariableAdd

Add a query variable.

ActionQueryVariableAdd(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the variable to create

# Optional Parameters

  • value: The value to set for this variable.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.query.vars (TableAttribute)

# Function ActionQueryVariableSet

Set a query variable.

ActionQueryVariableSet(Args{
    "key": "",
    "capture": "false",
})
1
2
3
4

# Mandatory Parameters

  • key: The name of the variable to set
  • capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

  • capture_re: The regexp to capture the original value
  • modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
  • value: The value to set for this variable. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.query.vars (TableAttribute)

# Function ActionQueryVariableUnset

Unset a query variable.

ActionQueryVariableUnset(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the variable to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.query.vars (TableAttribute)

# Function ActionRequestHeaderAdd

Add a request header.

ActionRequestHeaderAdd(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the header to create

# Optional Parameters

  • value: The value to set for this header.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.headers (TableAttribute)

# Function ActionRequestHeaderSet

Set a request header.

ActionRequestHeaderSet(Args{
    "key": "",
    "capture": "false",
})
1
2
3
4

# Mandatory Parameters

  • key: The name of the header to set
  • capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

  • capture_re: The regexp to capture the original value
  • modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
  • value: The value to set for this header. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.headers (TableAttribute)

# Function ActionRequestHeaderUnset

Unset a request header.

ActionRequestHeaderUnset(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the header to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.headers (TableAttribute)

# Function ActionResponseHeaderAdd

Add a response header.

ActionResponseHeaderAdd(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the header to create

# Optional Parameters

  • value: The value to set for this header.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.response.headers (TableAttribute)

# Function ActionResponseHeaderSet

Set a response header.

ActionResponseHeaderSet(Args{
    "key": "",
    "capture": "false",
})
1
2
3
4

# Mandatory Parameters

  • key: The name of the header to set
  • capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.

# Optional Parameters

  • capture_re: The regexp to capture the original value
  • modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
  • value: The value to set for this header. When capture mode is enabled, this is the substitution regexp.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.response.headers (TableAttribute)

# Function ActionResponseHeaderUnset

Unset a response header.

ActionResponseHeaderUnset(Args{
    "key": "",
})
1
2
3

# Mandatory Parameters

  • key: The name of the header to delete

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.response.headers (TableAttribute)

# Function ActionRewriteRule

Rewrite the URL (path[?query]) using capturing/substitution regexps.

ActionRewriteRule(Args{
    "capture_re": "^(.*)$",
    "replace_re": "\1",
    "proxy": "false",
})
1
2
3
4
5

# Mandatory Parameters

  • capture_re: The regexp to capture the original URL (path[?query]).
  • replace_re: The regexp to replace the captured URL.
  • proxy: Whether to rewrite the backend Host/IP/Port or not (default).

# Optional Parameters

  • replace_flags: The regexp flags used for replacement [perl gmixs].
  • host: The Host header sent to the backend.
  • ip: The IP/Hostname used to connect the backend.
  • port: The port used to connect the backend.
  • ssl: Whether to use SSL with the backend or not (default).

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.headers (TableAttribute)
  • http.request.path (StringAttribute)
  • http.request.query (StringAttribute)

# Function ActionSign

Sign data bloc.

ActionSign(Args{
    "sign.input": "",
    "sign.algorithm": "RSA",
    "digest.algorithm": "SHA256",
})
// returns sign.err_message, sign.failure, sign.output
1
2
3
4
5
6

# Mandatory Parameters

  • sign.input: Plain text to sign.
  • sign.algorithm: Digest algorithm used for signature.
    • RSA: RSA
    • HMAC: HMAC
    • RSA-PSS: RSA-PSS
  • digest.algorithm: Digest algorithm used for signature.
    • SHA224: SHA224
    • SHA256: SHA256
    • SHA384: SHA384
    • SHA512: SHA512
    • WHIRLPOOL: WHIRLPOOL
    • MD4: MD4 (insecure, not recommended)
    • MD5: MD5 (insecure, not recommended)
    • RIPEMD160: RIPEMD160 (insecure, not recommended)
    • SHA1: SHA1 (insecure, not recommended)

# Optional Parameters

  • keystored: Set to 'No' with HMAC to specify the passphrase here.
    • true: Yes (recommended)
    • false: No
  • passphrase: Passphrase to use for HMAC.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • sign.err_message (StringAttribute)
  • sign.failure (BooleanAttribute)
  • sign.output (StringAttribute)

# Security

# Function ActionICXSecurityEngine

Execute ICX using the specified configuration.

ActionICXSecurityEngine(Args{
    "configuration": "", // ICXConfiguration
    "decodeLOS": "0",
    "switchEmptyValue": "true",
    "bodyUsed": "64",
    "icxCacheEntryCount": "4096",
})
// returns icx.blocking.reason, icx.blocking.rules, icx.policy.name, icx.policy.uid, icx.request.blocked, icx.request.processed
1
2
3
4
5
6
7
8

# Mandatory Parameters

  • configuration: ICX Configuration (profile) to use.
  • decodeLOS: Customize LOS encoded data policy (default case do not impact those encoded data buffers).
    • 0: Disable LOS detection
    • 1: Handle LOS decoding errors as attacks
    • 2: Lazy LOS decoding
    • 3: Discard LOS values
    • 4: Ignore/truncate LOS values
  • switchEmptyValue: Whether to switch key/value pairs while evaluating a rule if key is empty (default: Yes). Nothing is done if key is not empty. In URL 'http://a.b.com/?valueIsHere' ICX engine will handle 'valueIsHere' as value and '' as the parameter name if switch is enabled.
  • bodyUsed: The body vars size (in kilobytes) beyond which the ICX Engine ignores the data (default: 64, -1 for no limit).
  • icxCacheEntryCount: Enable regular expression result caching for fast pattern matching. Specify ICX cache entry count per pattern. More the value is high more the reverse proxy will consume memory.
    • 0: Disable
    • 128: 128 entries
    • 256: 256 entries
    • 512: 512 entries
    • 1024: 1K entries
    • 2048: 2K entries
    • 4096: 4K entries
    • 8192: 8K entries
    • 16384: 16K entries
    • 65536: 64K entries
    • 262144: 256K entries
    • 1048576: 1M entries

# Optional Parameters

  • xml.doc.attr: XML document attribute to read. (optional)
  • icxCacheMinSize: Minimum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as short value matching is fast enough.
    • 1: 1 byte
    • 4: 4 bytes
    • 8: 8 bytes
    • 16: 16 bytes
    • 32: 32 bytes
    • 64: 64 bytes
    • 128: 128 bytes
    • 256: 256 bytes
    • 512: 512 bytes
  • icxCacheMaxSize: Maximum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as long value matching reuse from cache is poor.
    • 128: 128 bytes
    • 256: 256 bytes
    • 512: 512 bytes
    • 1024: 1K bytes
    • 2048: 2K bytes
    • 4096: 4K bytes
    • 8192: 8K bytes
    • 16384: 16K bytes
    • 32768: 32K bytes
    • 65536: 64K bytes
    • 131072: 128K bytes
  • icxCacheTimeMin: Cache values only when computation time when long. If matching is too fast caching is avoid. Time given in nano seconds.
    • 0: Always
    • 1: 1 ns
    • 4: 4 ns
    • 16: 16 ns
    • 64: 64 ns
    • 256: 256 ns
    • 1024: 1024 ns
    • 10000: 10 ms
    • 100000: 100 ms
    • 500000: 500 ms
    • 1000000: 1 s

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body.vars (TableAttribute)
  • http.request.cookies (TableAttribute)
  • http.request.headers (TableAttribute)
  • http.request.host (StringAttribute)
  • http.request.ip-dst (StringAttribute)
  • http.request.ip-src (StringAttribute)
  • http.request.method (StringAttribute)
  • http.request.path (StringAttribute)
  • http.request.port-dst (StringAttribute)
  • http.request.protocol (StringAttribute)
  • http.request.query (StringAttribute)
  • http.request.query.vars (TableAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • icx.blocking.reason (StringAttribute)
  • icx.blocking.rules (TableAttribute)
  • icx.policy.name (StringAttribute)
  • icx.policy.uid (StringAttribute)
  • icx.request.blocked (BooleanAttribute)
  • icx.request.processed (BooleanAttribute)

# Function ActionLibinjectionSqli

Advanced engine checking request parts against SQL Injection.

ActionLibinjectionSqli(Args{
    "canon_attr": "",
    "path": "false",
    "headers": "true",
    "cookies": "true",
    "getvars": "true",
    "postvars": "true",
})
// returns sqli.hits, sqli.request.blocked
1
2
3
4
5
6
7
8
9

# Mandatory Parameters

  • canon_attr: The normalization attribute to use.
  • path: Verify the request path.
  • headers: Verify the request headers.
  • cookies: Verify the request cookies.
  • getvars: Verify the request get parameters.
  • postvars: Verify the request post parameters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • sqli.hits (StringAttribute)
  • sqli.request.blocked (BooleanAttribute)

# Function ActionCmdiSec

Advanced engine checking request parts against Command Injections.

ActionCmdiSec(Args{
    "canon_attr": "",
    "path": "false",
    "headers": "true",
    "cookies": "true",
    "getvars": "true",
    "postvars": "true",
    "windows": "true",
    "unix": "true",
    "backdoor_mode": "true",
})
// returns cmdi.request.blocked
1
2
3
4
5
6
7
8
9
10
11
12

# Mandatory Parameters

  • canon_attr: The normalization attribute to use.
  • path: Verify the request path.
  • headers: Verify the request headers.
  • cookies: Verify the request cookies.
  • getvars: Verify the request get parameters.
  • postvars: Verify the request post parameters.
  • windows: Enable windows commands matching
  • unix: Enable Unix commands matching
  • backdoor_mode: Enable webshell mode: do not look for escaping characters before a command

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • cmdi.request.blocked (BooleanAttribute)

# Function ActionHTMLSec

Advanced engine checking request parts against Html injections (XSS).

ActionHTMLSec(Args{
    "canon_attr": "",
    "block_script_events": "true",
    "block_html4_tags": "true",
    "block_html5_tags": "true",
    "path": "false",
    "headers": "true",
    "cookies": "true",
    "getvars": "true",
    "postvars": "true",
})
// returns xss.request.blocked
1
2
3
4
5
6
7
8
9
10
11
12

# Mandatory Parameters

  • canon_attr: The normalization attribute to use.
  • block_script_events: Block Script events ( 'onMouseOver', 'onClick'...)
  • block_html4_tags: Block certain HTML4 tags known as potential threats.
  • block_html5_tags: Block certain HTML5 tags known as potential threats.
  • path: Verify the request path.
  • headers: Verify the request headers.
  • cookies: Verify the request cookies.
  • getvars: Verify the request get parameters.
  • postvars: Verify the request post parameters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • xss.request.blocked (BooleanAttribute)

# Function ActionPathSec

Advanced engine checking request parts against Path traversal.

ActionPathSec(Args{
    "canon_attr": "",
    "path": "true",
    "headers": "false",
    "cookies": "false",
    "getvars": "false",
    "postvars": "false",
})
// returns patht.request.blocked
1
2
3
4
5
6
7
8
9

# Mandatory Parameters

  • canon_attr: The normalization attribute to use.
  • path: Verify the request path.
  • headers: Verify the request headers.
  • cookies: Verify the request cookies.
  • getvars: Verify the request get parameters.
  • postvars: Verify the request post parameters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • patht.request.blocked (BooleanAttribute)

# Function ActionCookieCiphering

Cookie Ciphering.

ActionCookieCiphering(Args{
    "cookie-accept": ".*",
})
// returns http.cookie-ciphering.undecipherable, http.cookie-ciphering.undecipherable-cookies
1
2
3
4

# Mandatory Parameters

  • cookie-accept: A regexp to select cookies to handle.

# Optional Parameters

  • cookie-reject: A regexp to select the cookies to ignore (session cookies, ie. BWFSESSIDs, are always ignored, no need to filter them here).

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.cookies (TableAttribute)
  • http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • http.cookie-ciphering.undecipherable (BooleanAttribute)
  • http.cookie-ciphering.undecipherable-cookies (TableAttribute)

# Function ActionCustomSecurityEvent

Create a custom security alert in security events table.

ActionCustomSecurityEvent(Args{
    "part": "Select",
    "severity": "Notice",
    "reason": "",
    "riskLevel": "",
    "attackFamily": "Select",
    "customMessage": "",
})
1
2
3
4
5
6
7
8

# Mandatory Parameters

  • part: Part request where the event has been detected.
    • No Part: No Part
    • SrcIP: SrcIP
    • DstIP: DstIP
    • DstPort: DstPort
    • Method: Method
    • Protocol: Protocol
    • Hostname: Hostname
    • Path: Path
    • Query: Query
    • Header: Header
    • Cookie: Cookie
    • Var_GET: Var_GET
    • Var_POST: Var_POST
    • Var_XML: Var_XML
    • Var_TOKEN: Var_TOKEN
    • URI: URI
    • Multiple: Multiple
  • severity: Severity of the event.
    • 0: Emergency
    • 1: Alert
    • 2: Critical
    • 3: Error
    • 4: Warning
    • 5: Notice
    • 6: Informational
    • 7: Debugging
  • reason: Reason of the Event
  • riskLevel: Risk level of the event (0 to 10).
  • attackFamily: Attack family of the event.
    • No Attack Family: No Attack Family
    • Command Injection: Command Injection
    • Cross-Site Scripting (XSS): Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF): Cross-Site Request Forgery (CSRF)
    • SQL Injection: SQL Injection
    • Other Injection: Other Injection
    • Path Traversal: Path Traversal
    • File Inclusion: File Inclusion
    • Parser Evasion: Parser Evasion
    • Buffer Overflow: Buffer Overflow
    • Denial of Service: Denial of Service
    • Security Misconfiguration: Security Misconfiguration
    • Open Redirect: Open Redirect
    • Scanner: Scanner
    • XML Security: XML Security
    • JSON Security: JSON Security
    • Other: Other
    • Bots and Web Scraping: Bots and Web Scraping
  • customMessage: The message to log. 512 characters maximum. If an attribute is specified in the message, it will be truncated after 512 characters

# Optional Parameters

  • cwe: CWE number of the event

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.security.events (SecurityEventsAttribute)

# Function ActionLogSecurity

Send security alert(s) in database.

ActionLogSecurity(Args{
    "logType": "security",
    "truncate": "16384",
    "sendLog": "true",
})
// returns log.failed, log.message, log.sent, log.uid
1
2
3
4
5
6

# Mandatory Parameters

  • logType: Choose a log type
    • security: Security
    • botMitigation: Bot Mitigation
  • truncate: Size (in bytes) above which request fields (e.g. body, header values) are truncated (default: 16384, minimum 128).
  • sendLog: Choose no if you only want the log message to be set in provided attribute log.message

# Optional Parameters

  • engineUid: Send alerts thrown by the configured security engine. By default, all alerts (from all engines) will be logged. 'Custom' allows to log a custom message.
    • allEngines:
    • icxEngine: ICX Engine
    • normalizationEngine: Normalization Engine
    • blacklistEngine: Blacklist Engine
    • scoringlistEngine: Scoringlist Engine
    • sqliEngine: Adv. Detection Engine - SQLi
    • pathtEngine: Adv. Detection Engine - Path Traversal
    • xssEngine: Adv. Detection Engine - XSS
    • cmdiEngine: Adv. Detection Engine - CMDi
    • cookieCiphering: Cookie Ciphering
    • cookieVirtualization: Cookie Virtualization
    • cookieTracking: Cookie Tracking
    • xmlParsing: XML Parsing
    • xmlSchemaValidation: XML Schema Validation
    • jsonSchemaValidation: JSON Schema Validation
    • sitemapValidation: Sitemap Validation
    • custom: Custom
    • ipReputation: IP Reputation
  • tags: Tags to group your security alerts. This field accepts maximum of 16 alpha numeric + '' tags separated by spaces (32 characters maximum). This field can contain workflow expression evaluated at runtime. Notice that, when using workflow expression, values containing characters other than alphanumeric or '' are removed before sending to database.
  • customMessage: The message to log, 512 characters maximum. If an attribute is specified in the message, it will be truncated after 512 characters.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • appliance.name (String)
  • appliance.uid (String)
  • backend.host (String)
  • backend.port (String)
  • http.request.body (String)
  • http.request.cooklines (Table)
  • http.request.headers (Table)
  • http.request.host (String)
  • http.request.ip-dst (String)
  • http.request.ip-src (String)
  • http.request.method (String)
  • http.request.path (String)
  • http.request.port-dst (String)
  • http.request.protocol (String)
  • http.request.query (String)
  • http.request.security.events (SecurityEventsAttribute)
  • http.request.uid (String)
  • rproxy.name (String)
  • rproxy.uid (String)
  • tunnel.name (String)
  • tunnel.uid (String)
  • workflow.name (String)
  • workflow.uid (String)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • log.failed (BooleanAttribute)
  • log.message (StringAttribute)
  • log.sent (BooleanAttribute)
  • log.uid (StringAttribute)

# Function ActionSecurityEvent

Create a custom security alert in security events table.

ActionSecurityEvent(Args{
    "part": "Select",
    "severity": "Notice",
    "reason": "",
})
1
2
3
4
5

# Mandatory Parameters

  • part: Part request where the event has been detected.
    • No Part: No Part
    • SrcIP: SrcIP
    • DstIP: DstIP
    • DstPort: DstPort
    • Method: Method
    • Protocol: Protocol
    • Hostname: Hostname
    • Path: Path
    • Query: Query
    • Header: Header
    • Cookie: Cookie
    • Var_GET: Var_GET
    • Var_POST: Var_POST
    • Var_XML: Var_XML
    • Var_TOKEN: Var_TOKEN
    • URI: URI
    • Multiple: Multiple
  • severity: Severity of the event.
    • 0: Emergency
    • 1: Alert
    • 2: Critical
    • 3: Error
    • 4: Warning
    • 5: Notice
    • 6: Informational
    • 7: Debugging
  • reason: Reason of the Event

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.security.events (SecurityEventsAttribute)

# Function ActionSecurityExceptionManagement

Manage security exceptions using the specified configuration.

ActionSecurityExceptionManagement(Args{
    "configuration": "", // SecurityExceptionConfiguration
})
// returns security.exception.blocked, security.exception.events
1
2
3
4

# Mandatory Parameters

  • configuration: Security Exception Configuration (profile) to use.

# Optional Parameters

  • xml.doc.attr: XML document attribute to read. (optional)
  • decodeLOS: Customize LOS encoded data policy (default case do not impact those encoded data buffers).
    • 0: Disable LOS detection
    • 1: Handle LOS decoding errors as attacks
    • 2: Lazy LOS decoding
    • 3: Discard LOS values
    • 4: Ignore/truncate LOS values
  • switchEmptyValue: Whether to switch key/value pairs while evaluating a rule if key is empty (default: Yes). Nothing is done if key is not empty. In URL 'http://a.b.com/?valueIsHere' ICX engine will handle 'valueIsHere' as value and '' as the parameter name if switch is enabled.
  • bodyUsed: The body vars size (in kilobytes) beyond which the ICX Engine ignores the data (default: 64, -1 for no limit).
  • icxCacheEntryCount: Enable regular expression result caching for fast pattern matching. Specify ICX cache entry count per pattern. More the value is high more the reverse proxy will consume memory.
    • 0: Disable
    • 128: 128 entries
    • 256: 256 entries
    • 512: 512 entries
    • 1024: 1K entries
    • 2048: 2K entries
    • 4096: 4K entries
    • 8192: 8K entries
    • 16384: 16K entries
    • 65536: 64K entries
    • 262144: 256K entries
    • 1048576: 1M entries
  • icxCacheMinSize: Minimum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as short value matching is fast enough.
    • 1: 1 byte
    • 4: 4 bytes
    • 8: 8 bytes
    • 16: 16 bytes
    • 32: 32 bytes
    • 64: 64 bytes
    • 128: 128 bytes
    • 256: 256 bytes
    • 512: 512 bytes
  • icxCacheMaxSize: Maximum size of values cached. Use that parameter to avoid cache poisoning with insignificant values that should not be cached as far as long value matching reuse from cache is poor.
    • 128: 128 bytes
    • 256: 256 bytes
    • 512: 512 bytes
    • 1024: 1K bytes
    • 2048: 2K bytes
    • 4096: 4K bytes
    • 8192: 8K bytes
    • 16384: 16K bytes
    • 32768: 32K bytes
    • 65536: 64K bytes
    • 131072: 128K bytes
  • icxCacheTimeMin: Cache values only when computation time when long. If matching is too fast caching is avoid. Time given in nano seconds.
    • 0: Always
    • 1: 1 ns
    • 4: 4 ns
    • 16: 16 ns
    • 64: 64 ns
    • 256: 256 ns
    • 1024: 1024 ns
    • 10000: 10 ms
    • 100000: 100 ms
    • 500000: 500 ms
    • 1000000: 1 s
  • analyse: Whether to keep engine analysis for alerting.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body.vars (TableAttribute)
  • http.request.cookies (TableAttribute)
  • http.request.headers (TableAttribute)
  • http.request.host (StringAttribute)
  • http.request.ip-dst (StringAttribute)
  • http.request.ip-src (StringAttribute)
  • http.request.method (StringAttribute)
  • http.request.path (StringAttribute)
  • http.request.port-dst (StringAttribute)
  • http.request.protocol (StringAttribute)
  • http.request.query (StringAttribute)
  • http.request.query.vars (TableAttribute)
  • http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • security.exception.blocked (BooleanAttribute)
  • security.exception.events (SecurityEventsAttribute)

# Function ActionSitemapValidation

Validate a request with a given sitemap.

ActionSitemapValidation(Args{
    "sitemap": "", // OpenAPI
})
// returns sitemap.blocked
1
2
3
4

# Mandatory Parameters

  • sitemap: The sitemap this action will use.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body (StringAttribute)
  • http.request.body.vars (TableAttribute)
  • http.request.headers (TableAttribute)
  • http.request.method (StringAttribute)
  • http.request.path (StringAttribute)
  • http.request.query.vars (TableAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • sitemap.blocked (BooleanAttribute)

# Response

# Function ActionGenerateResponse

Generate the response.

ActionGenerateResponse(Args{
    "status": "200",
    "http-1.0": "false",
})
// returns http.response.body, http.response.body.error, http.response.body.error-string, http.response.body.fetched, http.response.cookies, http.response.cooklines, http.response.headers, http.response.host, http.response.port, http.response.protocol, http.response.reason, http.response.status, static.response.failed, static.response.failed.body, static.response.failed.headers, static.response.failed.protocol, static.response.failed.status
1
2
3
4
5

# Mandatory Parameters

  • status: The response status.
  • http-1.0: Downgrade the response to HTTP version 1.0 (if not already).

# Optional Parameters

  • content-default: Use the content associated with the status instead of the one below (not applicable with 200 status where the content is mandatory).
  • use-static-content: Serve a static content.
  • static-content-expr: Static Content Path to use (can be an expression, must start with a /)
  • static-content-fetching: Whether (or not) to fetch the response body now (and possibly store big ones on disk) for further usage in the workflow. [Auto]matic fetching mode won't fetch the body unless (and when) it is used explicitly later in the workflow. [Now] fetching mode can be usefull when further body usage cannot be detected at runtime (eval()uated expression...).
    • AUTO: Auto
    • ALWAYS: Now
    • NEVER: Never
  • static-content-err-status: Status to use when no static content is found for the request.
  • content-type: The content type to serve.
  • content: The content to serve (can be empty).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • http.response.body (StringAttribute)
  • http.response.body.error (BooleanAttribute)
  • http.response.body.error-string (StringAttribute)
  • http.response.body.fetched (BooleanAttribute)
  • http.response.cookies (TableAttribute)
  • http.response.cooklines (TableAttribute)
  • http.response.headers (TableAttribute)
  • http.response.host (StringAttribute)
  • http.response.port (StringAttribute)
  • http.response.protocol (StringAttribute)
  • http.response.reason (StringAttribute)
  • http.response.status (StringAttribute)
  • static.response.failed (BooleanAttribute)
  • static.response.failed.body (StringAttribute)
  • static.response.failed.headers (TableAttribute)
  • static.response.failed.protocol (StringAttribute)
  • static.response.failed.status (StringAttribute)

# Function ActionProxyRequest

Proxy the request to the backend server.

ActionProxyRequest(Args{
    "ntlm": "false",
    "upgrade": "false",
    "body.fetching": "AUTO",
})
// returns http.response.body, http.response.body.error, http.response.body.error-string, http.response.body.fetched, http.response.cookies, http.response.cooklines, http.response.headers, http.response.host, http.response.port, http.response.protocol, http.response.reason, http.response.status, proxy.response.failed, proxy.response.failed.body, proxy.response.failed.headers, proxy.response.failed.host, proxy.response.failed.port, proxy.response.failed.protocol, proxy.response.failed.status
1
2
3
4
5
6

# Mandatory Parameters

  • ntlm: Whether to use the NTLM authentication, or not (default).
  • upgrade: Whether or not (default) to forward Upgrade (e.g. Websocket) requests from the client to the backend, for the latter to be able to switch the protocol (its choice). If/when that happens, since the new protocol lasts until one end closes the connection, this node can't return with an HTTP response and thus the workflow will be aborted (the following nodes will be bypassed).
  • body.fetching: Whether (or not) to fetch the response body now (and possibly store big ones on disk) for further usage in the workflow. [Auto]matic fetching mode won't fetch the body unless (and when) it is used explicitly later in the workflow. [Now] fetching mode can be usefull when further body usage cannot be detected at runtime (eval()uated expression...).
    • AUTO: Auto
    • ALWAYS: Now
    • NEVER: Never

# Optional Parameters

  • forward: Whether to forward the NTLM authentication supplied by the client, or not (default).
  • version: The NTLM version supplied by the proxy (default: NTLMv1).
    • V2: NTLMv2
    • 2S: NTLM2s
    • V1: NTLMv1
    • L2: LMv2
    • LM: LMv1
  • login: The NTLM login supplied by the proxy
  • password: The NTLM password supplied by the proxy
  • domain: The NTLM domain supplied by the proxy
  • workstation: The NTLM workstation supplied by the proxy
  • negotiateAlwaysSign: Whether to set the Negotiate Always Sign flag in the NTLM request, or not (default).
  • bind: Whether to bind the backend's connection to the client's one (default), or not.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body (StringAttribute)
  • http.request.headers (TableAttribute)
  • http.request.hostname (StringAttribute)
  • http.request.ip-dst (StringAttribute)
  • http.request.method (StringAttribute)
  • http.request.path (StringAttribute)
  • http.request.port-dst (StringAttribute)
  • http.request.protocol (StringAttribute)
  • http.request.query (StringAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • http.response.body (StringAttribute)
  • http.response.body.error (BooleanAttribute)
  • http.response.body.error-string (StringAttribute)
  • http.response.body.fetched (BooleanAttribute)
  • http.response.cookies (TableAttribute)
  • http.response.cooklines (TableAttribute)
  • http.response.headers (TableAttribute)
  • http.response.host (StringAttribute)
  • http.response.port (StringAttribute)
  • http.response.protocol (StringAttribute)
  • http.response.reason (StringAttribute)
  • http.response.status (StringAttribute)
  • proxy.response.failed (BooleanAttribute)
  • proxy.response.failed.body (StringAttribute)
  • proxy.response.failed.headers (TableAttribute)
  • proxy.response.failed.host (StringAttribute)
  • proxy.response.failed.port (StringAttribute)
  • proxy.response.failed.protocol (StringAttribute)
  • proxy.response.failed.status (StringAttribute)

# Function ActionSoapFaultResponse

Generate a soap-fault response.

ActionSoapFaultResponse(Args{
    "http-1.0": "false",
    "status": "500",
    "fault.code": "soap:Server",
})
// returns http.response.body, http.response.body.error, http.response.body.error-string, http.response.body.fetched, http.response.cookies, http.response.cooklines, http.response.headers, http.response.host, http.response.port, http.response.protocol, http.response.reason, http.response.status
1
2
3
4
5
6

# Mandatory Parameters

  • http-1.0: Use a HTTP version 1.0 response instead of 1.1.
  • status: The response status.
  • fault.code: The Soap Message to send

# Optional Parameters

  • fault.string: The Soap Message to send

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • http.response.body (StringAttribute)
  • http.response.body.error (BooleanAttribute)
  • http.response.body.error-string (StringAttribute)
  • http.response.body.fetched (BooleanAttribute)
  • http.response.cookies (TableAttribute)
  • http.response.cooklines (TableAttribute)
  • http.response.headers (TableAttribute)
  • http.response.host (StringAttribute)
  • http.response.port (StringAttribute)
  • http.response.protocol (StringAttribute)
  • http.response.reason (StringAttribute)
  • http.response.status (StringAttribute)

# API security

# Function ActionJSONAttributeGet

Extract a JSON attribute entry.

ActionJSONAttributeGet(Args{
    "jsonattr": "",
    "name": "",
})
// returns ${params[name]}, json.err_message, json.failure
1
2
3
4
5

# Mandatory Parameters

  • jsonattr: A input JSON attribute name is required.
  • name: A output JSON attribute name is required.

# Optional Parameters

  • jsonPointer: The JSON Pointer to filter the key to get (see RFC 6901).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (JsonAttribute)
  • json.err_message (StringAttribute)
  • json.failure (BooleanAttribute)

# Function ActionJSONAttributeSet

Set a JSON attribute entry.

ActionJSONAttributeSet(Args{
    "name": "",
    "value.type": "",
})
// returns ${params[name]}, json.err_message, json.failure
1
2
3
4
5

# Mandatory Parameters

  • name: A JSON attribute name is required.
  • value.type:
    • null: Null
    • bool: Boolean
    • int: Number (Int)
    • double: Number (double)
    • str: String
    • jsonstr: JSON
    • jsonattr: JSON Attribute

# Optional Parameters

  • jsonPointer: The JSON Pointer to filter the key to set (see RFC 6901).
  • value.bool:
    • true: true
    • false: false
  • value.int: An integer is required.
  • value.double: A float is required.
  • value.str: The string value to set or a reference to the entire attribute to set (with key "${}").
  • value.jsonstr: The JSON to set or a reference to the entire attribute to set (with key "${}").
  • value.jsonattr: A JSON attribute is required.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (JsonAttribute)
  • json.err_message (StringAttribute)
  • json.failure (BooleanAttribute)

# Function ActionJSONAttributeUnset

Unset a JSON attribute entry.

ActionJSONAttributeUnset(Args{
    "name": "",
    "jsonPointer": "",
})
// returns json.err_message, json.failure
1
2
3
4
5

# Mandatory Parameters

  • name: A JSON attribute name is required.
  • jsonPointer: The JSON Pointer to reference key to unset (see RFC 6901).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • json.err_message (StringAttribute)
  • json.failure (BooleanAttribute)

# Function ActionJSONToTable

Parse JSON data and fill a table from its content.

ActionJSONToTable(Args{
    "out.table": "",
    "input": "",
    "separator": "/",
})
// returns ${params[out.table]}, json.to.table.err_message, json.to.table.failure
1
2
3
4
5
6

# Mandatory Parameters

  • out.table: The name of the table to create or complete.
  • input: Enter the JSON data to parse
  • separator: Sets the separator between elements

# Optional Parameters

  • null: Choose a value to set in the table when a null attribute is found
  • count.arrays: Set to yes if you want array names to be suffixed by the index. The separator will be ':'

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[out.table]} (TableAttribute)
  • json.to.table.err_message (StringAttribute)
  • json.to.table.failure (BooleanAttribute)

# Function ActionJWTGenerate

Generate a JSON Web Token.

ActionJWTGenerate(Args{
    "json.payload": "",
    "jwt.name": "",
    "jwt.sign.algorithm": "HS256",
})
// returns ${params[jwt.name]}, jwt.generate.err_message, jwt.generate.failure
1
2
3
4
5
6

# Mandatory Parameters

  • json.payload: The JSON payload to use.
  • jwt.name: The attribute name of the generated JWT
  • jwt.sign.algorithm: Algorithm used for signature.
    • HS256: HS256 (HMAC using SHA-256)
    • HS384: HS384 (HMAC using SHA-384)
    • HS512: HS512 (HMAC using SHA-512)
    • RS256: RS256 (RSASSA-PKCS1-v1_5 using SHA-256)
    • RS384: RS384 (RSASSA-PKCS1-v1_5 using SHA-384)
    • RS512: RS512 (RSASSA-PKCS1-v1_5 using SHA-512)
    • PS256: PS256 (RSASSA-PSS using and MGF1 with SHA-256)
    • PS384: PS384 (RSASSA-PSS using and MGF1 with SHA-384)
    • PS512: PS512 (RSASSA-PSS using and MGF1 with SHA-512)
    • NONE: None (insecure, not recommended)

# Optional Parameters

  • jwt.regclaim.iss: Issuer. Override existing "Issuer" claims in json payload.
  • jwt.regclaim.sub: Subject. Override existing "Subject" claims in json payload.
  • jwt.regclaim.aud: Audience(s).Audience can be a string if one audience or an array if one or more audience. Override existing "Audience(s)" claims in json payload.
  • jwt.regclaim.exp: Expiration Time (timestamp in second). ex: ${calc(calc(time(), '/', '1000000'), '+', '120')}. Override existing "" claims in json payload.
  • jwt.regclaim.nbf: Not Before (timestamp in second). ex: ${calc(calc(time(), '/', '1000000'), '-', '60')}. Override existing "Not Before" claims in json payload.
  • jwt.regclaim.iat: Issued At (timestamp in second). ex: ${calc(time(), '/', '1000000')}. Override existing "" claims At in json payload.
  • jwt.regclaim.jti: JWT ID. Override existing "JWT ID" claims in json payload.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[jwt.name]} (StringAttribute)
  • jwt.generate.err_message (StringAttribute)
  • jwt.generate.failure (BooleanAttribute)

# Function ActionJWTParsing

Parse a JSON Web Token to extract a JSON payload and a JSON header.

ActionJWTParsing(Args{
    "jwt": "",
    "prefix": "json.parsing",
    "jwt.sign.algorithm": "AUTODETECT",
})
// returns ${params[prefix]}.header, ${params[prefix]}.payload, jwt.parsing.err_message, jwt.parsing.failure, jwt.parsing.signature.err_message, jwt.parsing.signature.failure
1
2
3
4
5
6

# Mandatory Parameters

  • jwt: The value of the token to extract. The string value to set or a reference to the entire attribute to set (with key "${}"). Example: ${http.request.query.vars["jwt"]}
  • prefix: Specifies the prefix for the JSON provided attributes <prefix>.payload|header
  • jwt.sign.algorithm: Algorithm used for signature.
    • AUTODETECT: Auto detect (use algorithm specified in claim)
    • HS256: HS256 (HMAC using SHA-256)
    • HS384: HS384 (HMAC using SHA-384)
    • HS512: HS512 (HMAC using SHA-512)
    • RS256: RS256 (RSASSA-PKCS1-v1_5 using SHA-256)
    • RS384: RS384 (RSASSA-PKCS1-v1_5 using SHA-384)
    • RS512: RS512 (RSASSA-PKCS1-v1_5 using SHA-512)
    • PS256: PS256 (RSASSA-PSS using and MGF1 with SHA-256)
    • PS384: PS384 (RSASSA-PSS using and MGF1 with SHA-384)
    • PS512: PS512 (RSASSA-PSS using and MGF1 with SHA-512)
    • NONE: None (insecure, not recommended)

# Optional Parameters

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[prefix]}.header (JsonAttribute)
  • ${params[prefix]}.payload (JsonAttribute)
  • jwt.parsing.err_message (StringAttribute)
  • jwt.parsing.failure (BooleanAttribute)
  • jwt.parsing.signature.err_message (StringAttribute)
  • jwt.parsing.signature.failure (BooleanAttribute)

# Function ActionXMLGet

Get the table of an XPath expression result.

ActionXMLGet(Args{
    "xml.doc": "xml.parsing.doc",
    "xml.path": "",
    "prefix": "xml.get",
})
// returns ${params[prefix]}.error, ${params[prefix]}.failed, ${params[prefix]}.table
1
2
3
4
5
6

# Mandatory Parameters

  • xml.doc: Specifies an attribute containing the xml document
  • xml.path: The path expressions to navigate in xml documents
  • prefix: Specifies the prefix for the provided attributes <prefix>.table|failed|error

# Optional Parameters

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[prefix]}.error (StringAttribute)
  • ${params[prefix]}.failed (BooleanAttribute)
  • ${params[prefix]}.table (TableAttribute)

# Function ActionXMLModify

Modify an XML Document.

ActionXMLModify(Args{
    "xml.doc": "",
    "xml.xpath": "",
    "action": "Action",
})
// returns xml.modify.err_message, xml.modify.failure, xml.modify.nb_nodes
1
2
3
4
5
6

# Mandatory Parameters

  • xml.doc: Specifies an attribute containing the xml document
  • xml.xpath: The xpath expressions selecting nodes to modify
  • action: Action to do. Note that 'Add' action will only work on element nodes. Attributes and contents will be silently ignored.
    • Add: Add
    • Modify: Modify
    • Delete: Delete

# Optional Parameters

  • filter: Filter node types
    • Node: Select only XML Element nodes
    • Attribute: Select only XML Attribute nodes
    • Text: Select only XML Content nodes
  • what: What to add
    • Content/Attributes: Content and/or Attributes
    • NewNode: New Node
    • ImportXML: Import from a workflow XML Attribute
    • ImportTxt: Import from a text xml
  • add.txt_or_attr.attr: Add attributes to node
  • add.txt_or_attr.txt: Add Content to node
  • add.newnode.name: Name of the new node to add
  • add.newnode.ns: Namespace of the new node to add
  • add.newnode.nsurl: URL of namespace of the new node to add.
  • add.newnode.attr: Attributes of the new node to add
  • add.newnode.text: Content of the new node to add
  • add.importXML.xml: Source document to import
  • add.importXML.xpath: XPath to select nodes to import
  • add.importTxt.xml: XML Text to parse and import
  • add.importTxt.skip_root: Skip root and just import all of its children
  • add.where: Where to add
    • Before: Before current
    • After: After current
    • Child: as Child of current
  • mod.node.replaceby: Replace By
    • ImportXML: Import from XML Attribute
    • ImportTxt: Import from a text xml
    • Simple: Simple replace
  • mod.node.importXML: Source XML which will replace current node
  • mod.node.importXPath: This XPath will select nodes on Source XML which will replace current node.
  • mod.node.importTxt: XML Text to parse, it will replace current node
  • mod.node.skip_root: Skip root and just import all of its children
  • mod.node.name: New name of node.
  • mod.node.ns: New name space of node.
  • mod.node.nsurl: New URL name space of node.
  • mod.node.attr: Attributes update for current node
  • mod.node.attr.attr_fullReplace: Remove all old attributes and insert new attributes (Yes), or just add or modify current attributes with new ones
  • mod.node.text: New content
  • mod.attr.name: Modify attribute name
  • mod.attr.text: Modify attribute value
  • mod.text.text: Modify content

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • xml.modify.err_message (StringAttribute)
  • xml.modify.failure (BooleanAttribute)
  • xml.modify.nb_nodes (StringAttribute)

# Function ActionXMLParsing

Analyze an XML message and check that it conforms to the standard and other criteria such as size, message depth, etc.

ActionXMLParsing(Args{
    "prefix": "xml.parsing",
    "source": "Attr",
    "size_max": "0",
    "nested_max": "30",
    "allow_internal_entities": "true",
    "allow_external_entities": "false",
})
// returns ${params[prefix]}.doc, ${params[prefix]}.error, ${params[prefix]}.failed
1
2
3
4
5
6
7
8
9

# Mandatory Parameters

  • prefix: Specifies the prefix of the provided attributes <prefix>.doc|failed|error
  • source: Choose to parse either from an attribute, or a plain text
    • Attr: Attribute
    • HardCoded: Text
  • size_max: Specifies the maximum size for the XML document in bytes (0 for unlimited)
  • nested_max: Specifies the maximum number of nested elements allowed (0 for unlimited, default is 30)
  • allow_internal_entities: Choose if you want to allow internal entity declarations (Allowed by default)
  • allow_external_entities: Choose if you want to allow external entity declarations. (Denied by default)

# Optional Parameters

  • name: Specifies an attribute containing the XML text to parse.
  • xml: Plain XML text to parse.

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.security.events (SecurityEventsAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[prefix]}.doc (XmlDocAttribute)
  • ${params[prefix]}.error (StringAttribute)
  • ${params[prefix]}.failed (BooleanAttribute)

# Function ActionXMLSign

Sign an XML Document.

ActionXMLSign(Args{
    "xmldoc": "",
    "sign.algorithm": "RSA_SHA256",
    "digest.algorithm": "SHA256",
    "add_transform.method": "NONE",
    "canon.method": "EXCL",
    "keep_empty_uri": "false",
    "whole.document": "false",
})
// returns xml.sign.err_message, xml.sign.failure, xml.sign.nb_nodes
1
2
3
4
5
6
7
8
9
10

# Mandatory Parameters

  • xmldoc: Specifies an attribute containing the xml document
  • sign.algorithm: The algorithm used to sign the XML message.
    • RSA_SHA256: RSA-SHA256
    • RSA_SHA512: RSA-SHA512
    • RSA_RIPEMD160: RSA-RipeMD160
    • HMAC_SHA256: HMAC-SHA256
    • HMAC_SHA512: HMAC-SHA512
    • HMAC_RIPEMD160: HMAC-RipeMD160
    • RSA_SHA1: RSA-SHA1 (insecure, not recommended)
    • RSA_MD5: RSA-MD5 (insecure, not recommended)
    • DSA_SHA1: DSA-SHA1 (insecure, not recommended)
    • HMAC_SHA1: HMAC-SHA1 (insecure, not recommended)
    • HMAC_MD5: HMAC-MD5 (insecure, not recommended)
  • digest.algorithm: The algorithm used to generate XML message digest.
    • SHA256: SHA256
    • SHA512: SHA512
    • MD5: MD5 (insecure, not recommended)
    • SHA1: SHA1 (insecure, not recommended)
    • RIPEMD160: RipeMD160 (insecure, not recommended)
  • add_transform.method: The additionnal transform method used.
    • NONE:
    • EXCL_W_COMMENT: Exclusive C14N with comments
    • EXCL: Exclusive C14N without comments
  • canon.method: The method used for canonicalization.
    • EXCL: Exclusive C14N without comments
    • EXCL_W_COMMENT: Exclusive C14N with comments
    • INCL: Inclusive C14N without comments
    • INCL_W_COMMENT: Inclusive C14N with comments
  • keep_empty_uri: When Id tag is empty, this parameter tells to add en empty URI attribute to the Reference node of the XML Signature.
  • whole.document: Choose if you want to sign the whole document or only specified element

# Optional Parameters

  • hmac.key: Select the HMAC key.
  • provide.cert: Provides, or not, the X509 Certificate in the signature data
  • provide.key: Provides, or not, the key value. Should only be used when signing with a private key.
  • id: Set the 'Id' tag name. Default is 'xml:id'.
  • signature_xpath: The XPath expression to find the node before which the signature will be inserted, leave blank to insert as last child of the signed node
  • xpath: The XPath expressions selecting the element to sign

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • xml.sign.err_message (StringAttribute)
  • xml.sign.failure (BooleanAttribute)
  • xml.sign.nb_nodes (StringAttribute)

# Function ActionXSLTApply

Apply an XSLT to an XML Document.

ActionXSLTApply(Args{
    "attr_src": "",
    "attr_name": "",
    "xslt.source": "Source",
})
// returns ${params[attr_name]}, xslt.apply.err_message, xslt.apply.failure
1
2
3
4
5
6

# Mandatory Parameters

  • attr_src: XML to transform
  • attr_name: Resulting XML
  • xslt.source: Select XSLT Source
    • WfAttr: From Workflow-xml-attribute
    • Profile: From an XML File Profile

# Optional Parameters

  • xslt: XSLT to apply
  • xslt_params: Parameters to give to XSLT

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[attr_name]} (XmlDocAttribute)
  • xslt.apply.err_message (StringAttribute)
  • xslt.apply.failure (BooleanAttribute)

# Attributes

# Function ActionAttributesSplit

Create a table of all attributes with the given prefix.

ActionAttributesSplit(Args{
    "name": "",
    "prefix": "",
})
// returns ${params[name]}
1
2
3
4
5

# Mandatory Parameters

  • name: The name of the table attribute to create or overwrite.
  • prefix: The prefix of the attributes to be added to the table.

# Optional Parameters

  • key: The key under which the attributes should be added, or empty to use the entire table.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (TableAttribute)

# Function ActionSecurityEventsToTable

Set a table from a security events attribute.

ActionSecurityEventsToTable(Args{
    "name": "",
    "value": "",
})
// returns ${params[name]}
1
2
3
4
5

# Mandatory Parameters

  • name: The name of the table attribute to create or overwrite.
  • value: The name of the security events attribute to copy in the table.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (TableAttribute)

# Function ActionTableAttributeAdd

Add a table attribute entry.

ActionTableAttributeAdd(Args{
    "name": "",
    "key": "",
    "value": "",
})
// returns ${params[name]}
1
2
3
4
5
6

# Mandatory Parameters

  • name: A table attribute name is required (eg: http.request.headers).
  • key: The key to add in the table or "${}" to add an entire table.
  • value: The value to add or a reference to the entire table to add (with key "${}").

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (TableAttribute)

# Function ActionTableAttributeSet

Set a table attribute entry.

ActionTableAttributeSet(Args{
    "name": "",
    "key": "",
})
// returns ${params[name]}
1
2
3
4
5

# Mandatory Parameters

  • name: The table attribute name. It will be created if it doesn't exist.
  • key: The key to set in the table or "${}" to set an entire table.

# Optional Parameters

  • capture: Whether to capture the original value (default: No). Nothing is done if the original value doesn't exist.
  • capture_re: The regexp to capture the original value
  • modify: Whether to modify the original value only (default: No). Nothing is done if the original value doesn't exist.
  • value: The value to set or a reference to the entire table to set (with key "${}"). When capture mode is enabled, this is the substitution regexp.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[name]} (TableAttribute)

# Function ActionTableAttributeUnset

Unset a table attribute entry.

ActionTableAttributeUnset(Args{
    "name": "",
    "key": "",
})
1
2
3
4

# Mandatory Parameters

  • name: The table attribute on which the entry will be removed.
  • key: The key to remove from the table or "${}" to clear the entire table.

# Function ActionTableClear

Remove all table entries.

ActionTableClear(Args{
    "name": "",
})
1
2
3

# Mandatory Parameters

  • name: Table attribute on which all entries will be removed.

# Miscellaneous

# Function ActionCharTranslation

Translate from an encoding to an other.

ActionCharTranslation(Args{
    "in.text": "",
    "in.encoding": "",
    "out.encoding": "",
    "out.text": "",
})
// returns ${params[out.text]}, char.translation.err_message, char.translation.failure
1
2
3
4
5
6
7

# Mandatory Parameters

  • in.text: Input text to convert
  • in.encoding: Encoding of input text
  • out.encoding: Convert Input text to the selected encoding
  • out.text: Result will be stored in the specified attribute

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • ${params[out.text]} (StringAttribute)
  • char.translation.err_message (StringAttribute)
  • char.translation.failure (BooleanAttribute)

# Function ActionSubRequest

Run a subrequest on the given host.

ActionSubRequest(Args{
    "ip": "${backend.host}",
    "port": "${backend.port}",
    "ssl": "false",
    "method": "GET",
    "url": "${url_of(http.request.path, http.request.query)}",
})
// returns http.sub.response.body, http.sub.response.body.error, http.sub.response.body.error-string, http.sub.response.body.fetched, http.sub.response.cookies, http.sub.response.cooklines, http.sub.response.headers, http.sub.response.host, http.sub.response.port, http.sub.response.protocol, http.sub.response.reason, http.sub.response.status, sub.response.failed, sub.response.failed.body, sub.response.failed.cookies, sub.response.failed.headers, sub.response.failed.host, sub.response.failed.port, sub.response.failed.protocol, sub.response.failed.status
1
2
3
4
5
6
7
8

# Mandatory Parameters

  • ip: The destination IP or hostname of the subrequest.
  • port: The destination port of the subrequest.
  • ssl: Choose if you want to use ssl. (Disabled by default)
  • method: The HTTP method of the subrequest.
    • GET: GET
    • HEAD: HEAD
    • POST: POST
    • PUT: PUT
    • CUSTOM:
  • url: The URL (/path?query) of the subrequest.

# Optional Parameters

  • host: The HTTP header Host for the subrequest.
  • method-custom: The custom method to use.
  • headers: The HTTP headers of the subrequest.
  • cookies: The HTTP cookies of the subrequest.
  • content-type: The HTTP content-type to use.
  • body: The HTTP body of the subrequest.

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • http.sub.response.body (StringAttribute)
  • http.sub.response.body.error (BooleanAttribute)
  • http.sub.response.body.error-string (StringAttribute)
  • http.sub.response.body.fetched (BooleanAttribute)
  • http.sub.response.cookies (TableAttribute)
  • http.sub.response.cooklines (TableAttribute)
  • http.sub.response.headers (TableAttribute)
  • http.sub.response.host (StringAttribute)
  • http.sub.response.port (StringAttribute)
  • http.sub.response.protocol (StringAttribute)
  • http.sub.response.reason (StringAttribute)
  • http.sub.response.status (StringAttribute)
  • sub.response.failed (BooleanAttribute)
  • sub.response.failed.body (StringAttribute)
  • sub.response.failed.cookies (TableAttribute)
  • sub.response.failed.headers (TableAttribute)
  • sub.response.failed.host (StringAttribute)
  • sub.response.failed.port (StringAttribute)
  • sub.response.failed.protocol (StringAttribute)
  • sub.response.failed.status (StringAttribute)

# Function ActionSynchronizeVariables

Set a body and a query string from the given attributes.

ActionSynchronizeVariables(Args{
    "method.action": "Dont",
    "contentType.action": "Dont",
})
// returns synchronize.variables.err_message, synchronize.variables.failure
1
2
3
4
5

# Mandatory Parameters

  • method.action: Leave unchanged or force a specific method.
    • Dont: Don't modify
    • GET: Force method to GET
    • POST: Force method to POST
  • contentType.action: Leave unchanged, unset or modify the request Content-Type.
    • Dont: Don't modify
    • reset: No Content-Type
    • application/x-www-form-urlencoded: application/x-www-form-urlencoded
    • multipart/form-data: multipart/form-data
    • multipart/related: multipart/related

# Optional Parameters

  • contentType.which: Where to find content-type options such as charset, boundary, start, ...
    • extracted: Use Content-Type options from http.request.body.types
    • current: Use Content-Type options from http.request.headers['Content-Type']
    • custom: Use custom Content-Type options
    • none: Dont set options
  • ct.options: Set options to Content-Type, such as 'charset: utf-8' or 'boundary=012345; type="application/xop+xml"; start="<0.urn:uuid:0123456@apache.org>";'

# Required Attributes

Required attributes are global variables that are needed for this function to work.

  • http.request.body.headers (TableAttribute)
  • http.request.body.types (TableAttribute)
  • http.request.body.vars (TableAttribute)
  • http.request.headers (TableAttribute)
  • http.request.query.vars (TableAttribute)

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • synchronize.variables.err_message (StringAttribute)
  • synchronize.variables.failure (BooleanAttribute)

# Function ActionUserLog

Log a user message.

ActionUserLog(Args{
    "log_message": "",
    "log_level": "NOTICE",
    "expend_newline": "true",
    "log_attributes": "false",
})
1
2
3
4
5
6

# Mandatory Parameters

  • log_message: The message to log
  • log_level: The log level to use (the default level NOTICE is always logged, whatever the tunnel's level is).
    • DEBUG: Debug
    • NOTICE: Notice
    • ERR: Error
    • CRIT: Critical
    • ALERT: Alert
    • EMERG: Emergency
  • expend_newline: Replace the newline character(s) by '\n' (single line logging).
  • log_attributes: Log the workflow attributes after the message (for debugging purpose).

# Function ActionX509Extract

Extract values from X509 certificate. Retreived values are readable with<br/>expressions such as ${x509.certificate}["version"]. Dump all values<br/>using ${string_of("x509.certificate")}

ActionX509Extract(Args{
    "x509.value": "",
})
// returns x509.certificate, x509.success
1
2
3
4

# Mandatory Parameters

  • x509.value: X509 certificate parameter value name. (base64 encoded content supported)

# Optional Parameters

  • x509.length: X509 certificate parameter length (optional with base64 but needed in case of binary data).

# Provided Attributes

Provided attributes are global variables that this function provides to the rest of the workflow.

  • x509.certificate (TableAttribute)
  • x509.success (BooleanAttribute)