NimbostratusWildCard Parameters
Hi All, i have a question about ASM Parameters, is it safe to have wildcard parameters? whats the level of impact i'm expecting regarding my security doing that!
Depends on your environment. I use wildcard parameters in 95% of deployments in conjunction with 3-5 specific (the most important) parameters. I think it's a smart thing to do, because listing out all individual parameters for maximum granularity is too expensive to manage. It's also a very risky strategy (any minor application patch could come with an impact).
What will you lose? Parameter Length and Meta Character restrictions are universal. To give you an example, value of a parameter "2-letter-country-code" never needs to exceed 2 bytes. But due to your wildcard strategy, setting such a low limit is not viable because other parameters require more bytes for their legitimate values. Is it a significant loss? In my opinion, it's quite marginal.
tl;dr: go with a wildcard, and list out only those parameters that are of key importance. To give you an idea of important parameters that are worth dedicated security specifications: session-id, social-security-number, password, api-access-token, credit-card-no, passport-number.
