Network Prevent for Web does not detect information sent through a Web based text entry box
Article ID: 260109
Updated On:
Products
Issue/Introduction
You are trying to capture sensitive information leaking through typed messaged in Web based communicators. The traffic is directed through a Proxy which then forwards it through a Network Prevent for Web for detection. Even though you insert sensitive information into the message/text box on the Website you get no incident or no trace of detection at all from the Network channel.
Environment
15.8+
Cause
Most likely cause of such behavior is the lower threshold of message size which by default a Network Prevent for Web server will accept. By default it is configured to 4096 Bytes and it's configured in the "Ignore Requests Smaller Than" property available in the server's configuration. Any request lower than the specified value will be ignored.
A message sent through a communicator, or a similar text box entry on a website (for example dlptest.com), will usually not exceed this limit. The size of the message may differ between different sites or communicators, however in normal conditions a message containing of 500 words should reach 4096 Bytes.
To verify if that is your scenario, the size of the message can be checked by using the Developer Tools of the Web Browser used to send it. In the example below dlptest.com will be used along with Microsoft Edge (Chromium). The content of the message is a 500 words Lorem Ipsum string. Note that the result in size may differ in the actual communicator used and dlptest.com but this can be used as a baseline.
1. Open dlptest.com and choose either HTTP or HTTPS.
2. Open Developer Tools in the browser and choose the Network tab.
3. Enter the message into the "Test Message" field and hit Submit.
4. Find the POST of the message in the Network trace collected by the browser. In case of Edge and dlptest.com it will be visible in "https-post/" request which will be first available from the top. Click on the name what will display details of the captured request. Ensure that the Request Method is POST and scroll down to Request Headers and locate "content-length". This is the size of the message sent.
If content-length does not exceed 4096 then it will be ignored by the Network Prevent for Web server.
A simple method to double check if that is the case is to insert dummy data, along with the sensitive data that detection is expected, to reach the threshold and observe if an incident is raised.
Resolution
Adjust the "Ignore Requests Smaller Than" property of the Network Prevent for Web server to match the message size should be provided for detection:
1. In the Enforce Console navigate to System -> Servers and Detectors -> Overview.
2. Click on the Network Prevent for Web server and hit "Configure" on top of the screen.
3. Change the tab to ICAP and adjust the limit accordingly.
4. Save the changes and recycle the Network Prevent for Web server.
For more details on configuring the server refer to the documentation provided below:
Configuring Network Prevent for Web Server (broadcom.com)
Adjusting this property should be performed with caution. The lower the limit is, the more irrelevant traffic will be analyzed by the server what may have a negative impact on the performance, especially CPU load. The server connection limit, which by default is 16, may also be saturated much quicker and a queue may build up. Small steps approach is advised..
Feedback
