waf syntax-based-attack-detection

Using regular expression-based signatures to detect SQL/XSS injection attacks is core to a WAF solution. However, it is a continuous and tedious process to maintain and update the signatures to address new evasion techniques and to tune false positives and negatives for some attacks. To address this, syntax-based SQL/XSS injection detection is introduced.

Syntax

config waf syntax-based-attack-detection

edit "<policy_name>"

set sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-arithmetic-operation-block-period <period_int>

set sql-arithmetic-operation-severity {High | Medium | Low | Info}

set sql-arithmetic-operation-status {enable | disable}

set sql-arithmetic-operation-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-arithmetic-operation-trigger <trigger_policy_name>

set sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-condition-based-block-period <period_int>

set sql-condition-based-severity {High | Medium | Low | Info}

set sql-condition-based-status {enable | disable}

set sql-condition-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-condition-based-trigger <trigger_policy_name>

set sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-embeded-queries-block-period <period_int>

set sql-embeded-queries-severity {High | Medium | Low | Info}

set sql-embeded-queries-status {enable | disable}

set sql-embeded-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-embeded-queries-trigger <trigger_policy_name>

set sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-function-based-block-period <period_int>

set sql-function-based-severity {High | Medium | Low | Info}

set sql-function-based-status {enable | disable}

set sql-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-function-based-trigger <trigger_policy_name>

set sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-line-comments-block-period <period_int>

set sql-line-comments-severity {High | Medium | Low | Info}

set sql-line-comments-status {enable | disable}

set sql-line-comments-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-line-comments-trigger <trigger_policy_name>

set sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-stacked-queries-block-period <period_int>

set sql-stacked-queries-severity {High | Medium | Low | Info}

set sql-stacked-queries-status {enable | disable}

set sql-stacked-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-stacked-queries-trigger <trigger_policy_name>

set xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-html-attribute-based-block-period <period_int>

set xss-html-attribute-based-severity {High | Medium | Low | Info}

set xss-html-attribute-based-status {enable | disable}

set xss-html-attribute-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-attribute-based-trigger <trigger_policy_name>

set xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-html-css-based-block-period <period_int>

set xss-html-css-based-severity {High | Medium | Low | Info}

set xss-html-css-based-status {enable | disable}

set xss-html-css-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-css-based-trigger <trigger_policy_name>

set xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-html-tag-based-block-period <period_int>

set xss-html-tag-based-check-level {strict | moderate}

set xss-html-tag-based-severity {High | Medium | Low | Info}

set xss-html-tag-based-status {enable | disable}

set xss-html-tag-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-tag-based-trigger <trigger_policy_name>

set xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-javascript-function-based-block-period <period_int>

set xss-javascript-function-based-severity {High | Medium | Low | Info}

set xss-javascript-function-based-status {enable | disable}

set xss-javascript-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-javascript-function-based-trigger <trigger_policy_name>

set xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-javascript-variable-based-block-period <period_int>

set xss-javascript-variable-based-severity {High | Medium | Low | Info}

set xss-javascript-variable-based-status {enable | disable}

set xss-javascript-variable-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-javascript-variable-based-trigger <trigger_policy_name>

config exception-element-list

edit "<list-id>"

set match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}

set operator {STRING_MATCH| REGEXP_MATCH}

set value-name <name_str>

set value-check {enable | disable}

set value <value_str>

set concatenate-type {AND | OR}

set attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}

end

Variable	Description	Default
"<policy_name>"	Enter a name for the syntax based detection policy.	No default
sql-arithmetic-operation-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure sql-arithmetic-operation-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
sql-arithmetic-operation-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
sql-arithmetic-operation-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
sql-arithmetic-operation-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
sql-arithmetic-operation-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for Arithmetic Operation Based Boolean Injection attack.	`severe`
sql-arithmetic-operation-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
sql-condition-based-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure sql-condition-based-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
sql-condition-based-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
sql-condition-based-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
sql-condition-based-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
sql-condition-based-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for Arithmetic Operation Based Boolean Injection attack.	`severe`
sql-condition-based-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
sql-embeded-queries-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure sql-embeded-queries-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
sql-embeded-queries-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
sql-embeded-queries-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
sql-embeded-queries-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
sql-embeded-queries-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for Embedded Queries SQL Injection attack.	`severe`
sql-embeded-queries-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
sql-function-based-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure sql-function-based-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
sql-function-based-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
sql-function-based-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
sql-function-based-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
sql-function-based-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for SQL Function Based Boolean Injection attack.	`severe`
sql-function-based-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
sql-line-comments-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure sql-line-comments-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
sql-line-comments-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
sql-line-comments-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
sql-line-comments-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
sql-line-comments-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for Line Comments attack.	`severe`
sql-line-comments-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
sql-stacked-queries-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure sql-stacked-queries-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
sql-stacked-queries-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
sql-stacked-queries-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
sql-stacked-queries-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
sql-stacked-queries-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for Stacked Queries SQL Injection attack.	`severe`
sql-stacked-queries-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
xss-html-attribute-based-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure xss-html-attribute-based-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
xss-html-attribute-based-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
xss-html-attribute-based-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
xss-html-attribute-based-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
xss-html-attribute-based-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for HTML Attribute Based XSS Injection attack.	`severe`
xss-html-attribute-based-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
xss-html-css-based-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure xss-html-css-based-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
xss-html-css-based-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
xss-html-css-based-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
xss-html-css-based-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
xss-html-css-based-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for HTML CSS Based XSS Injection attack.	`severe`
xss-html-css-based-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
xss-html-tag-based-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure xss-html-tag-based-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
xss-html-tag-based-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
xss-html-tag-based-check-level {strict \| moderate}	`moderate`—An injection attack will be reported when tags besides body/head/html are detected. `strict`—No injection attack will be reported when tags besides body/head/html are detected. Note: It is not advised to set it as `moderate` as false positves may occur.	`strict`
xss-html-tag-based-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
xss-html-tag-based-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
xss-html-tag-based-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for HTML Tag Based XSS Injection attack.	`severe`
xss-html-tag-based-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
xss-javascript-function-based-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure xss-javascript-function-based-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
xss-javascript-function-based-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
xss-javascript-function-based-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
xss-javascript-function-based-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
xss-javascript-function-based-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for Javascript Function Based XSS Injection attack.	`severe`
xss-javascript-function-based-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
xss-javascript-variable-based-action {alert \| redirect \| deny_no_log \| alert_deny \| block_period \| send_http_response}	Select the action FortiWeb takes when this injection type attack is identified. `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `deny_no_log`—Block the request (or reset the connection). `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `block_period`—Block subsequent requests from the client for a number of seconds. Also configure xss-javascript-variable-based-block-period <period_int>. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image. `send_http_response`—Block and reply to the client with an HTTP error message and generate an alert email and/or log message. Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.	`alert_deny`
xss-javascript-variable-based-block-period <period_int>	Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack.	`600`
xss-javascript-variable-based-severity {High \| Medium \| Low \| Info}	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs an injection attack: High Medium Low Info	`High`
xss-javascript-variable-based-status {enable \| disable}	Enable or disable the attack type detection for this rule.	`enable`
xss-javascript-variable-based-threat-weight {low \| critical \| informational \| moderate \| substantial \| severe}	Set the threat weight for Javascript Variable Based XSS Injection attack.	`severe`
xss-javascript-variable-based-trigger <trigger_policy_name>	Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter: `set trigger ?`	No default
"<list-id>"	Enter an ID for the exception list.	No default
match-target {HOST \| URI \| FULL-URL \| PARAMETER \| COOKIE}	Select the type of request element to exempt from this rule.	`URI`
operator {STRING_MATCH \| REGEXP_MATCH}	STRING_MATCH—Name is the literal name of a parameter. REGEXP_MATCH— Name is a regular expression that matches all and only the name of the parameter that the exception applies to.	`REGEXP_MATCH`
value-name <name_str>	Specify the name of the parameter to match.
value-check {enable \| disable}	Enable to specify a parameter value to match in addition to the parameter name.	`disable`
value <value_str>	Specify a HOST/URI/FULL-URL/PARAMETER/COOKIE value to match.	No default
concatenate-type {AND \| OR}	AND—A matching request matches this entry in addition to other entries in the exemption list. OR—A matching request matches this entry instead of other entries in the exemption list. Later, you can use the exception list options to adjust the matching sequence for entries.	`AND`
attack-type {arithmetic_operation_based_boolean_injection \| condition_based_boolean_injection \| embeded_queries_sql_injection \| html_attr_based_xss_injection \| html_css_based_xss_injection \| html_tag_based_xss_injection \| js_func_based_xss_injection \| js_var_based_xss_injection \| line_comments \| invalid \| sql_function_based_boolean_injection \| stacked_queries_sql_injection}	Select the attack type you want to create the exception for.	No default