Where can we provide feedback regarding recommendations & tweaks for existing built-in rules?
For example, we discovered the hard way that Rule ID 920250 (UTF8 Encoding Abuse Attack Attempt) for 3 points and Rule ID 932370 (Remote Command Execution: Windows Command Injection) for 8 points. Both rules appear to block benign biographical strings like “during her time at Harvard”. (It matches "time at " followed by any letter or number.)
Our only current path forward to avoid false positives like this is to disable the rules entirely or raise the minimum level for blocking, but that also potentially makes us susceptible to UTF8 encoding abuse attacks.
Any recommendations? (and where can feedback regarding false positives been provided?)
You can tweak your bot manager to allow for a browser challenge or other mitigation type instead of a block for certain rule points. Points of 3 and 8 are very low and are not a recommended “block” amount.
QUESTION: Is the challenge option only available for “bots”? Or would it also challenge users with regular browser user agents?
QUESTION: Is Google reCAPTCHA v3 the only challenge option available? Are there any plans to support hCaptcha as an alternative? (We moved away from Google a couple of years ago.)
We ended up configuring an exception rule based on the form field that was being used.
QUESTION: Is the challenge option only available for “bots”? Or would it also challenge users with regular browser user agents?
While it’s in the “Bot Manager” piece of our security, it can still challenge a regular user should they be deemed to look like one if their score goes above a threshold.
QUESTION: Is Google reCAPTCHA v3 the only challenge option available? Are there any plans to support hCaptcha as an alternative? (We moved away from Google a couple of years ago.)
Currently, yes to Google being the only Captcha support. Checking on plans to add hCaptcha.
We ended up configuring an exception rule based on the form field that was being used.
hCaptcha support via our Bot Manager won’t be integrated anytime soon. You should still be able to add this as a script on your page though and not enable our reCaptcha. This can still work together with a browser challenge.
You should still be able to add this as a script on your page though and not enable our reCaptcha.
How would this work? Isn’t it impossible to connect an external captcha with edgio v7?
btw the problem with Google recaptcha and hcaptcha are both are limited by a certain number of uses per month then are VERY expensive. A large site cannot use them simply because of the extreme costs when overage occurs
Make sure your server can still execute the server side verification
You could probably use an edge function to accomplish this.
I haven’t tested this, but there is no block Edgio would introduce to this workflow.
btw the problem with Google recaptcha and hcaptcha are both are limited by a certain number of uses per month then are VERY expensive. A large site cannot use them simply because of the extreme costs when overage occurs
Yes, but if you do have an account with those providers, having a way to integrate is nice.
If you don’t want to use captcha we provide other forms of mitigation.