My Company is using domino as our email system and application platform. We have quite a few xpages applications. We have just bought a Barracuda Web Application Firewall. There are recommended "best practise" values for the WAF rules which our application exceeds or does not met.
I am tasked to either (1) make adjustments to our applications to suit the recommended values or (2) justify for an exception. We have gotten the applications to fall within the guidelines except for two points, which I recognize is a fundamental design of xpages but needs some supporting documentation or expert to lend weight to my justification for exceptions to be made.
1. Parameter Name length exceeded, recommended value 64, detected value 69
Example: Parameter name = view\:_id1\:include4\:include1\:_id68\:repeat1\:1\:repeat3\:0\:section2_closed
Explanation: Form controls in xpages when render on the client side comes with long IDs as they are constructed in a hierarchy manner, leading to long names for controls nested deeply within other controls. Thus their parameter names for the return values easily surpasses the Barracuda recommended value of 64.
Recommendation: To increase the allowed parameter name length to X
Help: Please suggest what should X be.
2. Slash-dot in URL path (https://www.owasp.org/index.php/Path_Traversal)
Explanation: Domino (and Dojo) has their library names containing the dot, thus to make use of those libraries the path must contain dot as well.
Recommendation: To grant exception for Domino web application servers.
Help: If possible, please link any tech note from IBM regarding their response to this issue. I have tried searching but either my googlefu is not strong enough, or there is very little material on this regards.