(eVn.1096 - Invalid aVal Action [ ??? ]) or
(iN.66 Invalid aVal [ ??? ]) or
(iNt.297 Invalid aVal [ ??? ]) or
(admApi.49 Invalid aVal [ ??? ]) or
(dLog.105 Invalid aVal [ ??? ]) or
(appUser.99 Invalid aVal [ ??? ]) or
(eMc.16 Invalid aVal [ ??? ])
OCCURRENCE: Once in a while but a bit regular.
OBSERVATION: The key phrase is Invalid aVal Action. There often can be a very complex string that is 100s of characters long. These are called "Query Strings" and They follow the file location which is typically a php file. So a complex URL is made up of two parts. The "location" and the "query string." They are separated by a "?". Then within the "query string" there are a number of key/value pairs. They are separated by a "&" sign. Then the key value pair is separated by an "=" sign. The left side of the equal is the "key", the right side the "value."
In our ticket it does not show the full URL. Instead, it splits it into two halves as indicated by the gold and green highlights in the image on the next page. The gold represents the location following the word "Script" (underlined in red), the green represents the query string and the word "QueryString" is what would normally be the "?" mark in the URL.
In the following URL, the colors indicate the various parts.
https://emdc.online/index.php?a=dirLog&e=first.last@gmail.com&i=19016054956fgi617&lang=en&site=0&src=home
Location: (items to the left of the ? mark).
Query: (items to the right of the ? mark).
With the query, it is made up of 6 key/value pairs.
a=dirLog
e=first.last@gmail.com
i=19016054956fgi617
lang=en
site=0
src=home
This error is only looking at the aVal which is part of the query string. "aVal" is another way of saying "a value." So in the above example the "a" (or action) value is dirLog.
The subject line of this ticket also gives you the aVal. That is the value in brackets. The contents of the brackets (aVal) will change considerably.
The use of a query string is the common way a spammer tries to break into our system. This article explains common phrases that are used for SQL injection.
https://www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php
In our system the "a" value (e.g. aVal) is a reference to a code passed within the URL that stands for "action." There are a number of common action words like "login", "profile", "logout", "dirlog", "event", "start" and so forth. They are normally a command that indicates that a specific action is to be taken. If you get this error which looks like a normal action word, it is a problem. But complex phrases like mentioned in the above article are SQL injection requests. See also the next topic for PCI Hints.
ACTION: Look and see if it is a typical sql injection test. If it is, you can delete the ticket. If the aVal is a common action word, that is an error that needs to be reported and ESCALATED to Tier 3. If there is any question, escalate to Tier 3.
SOURCE: CruGlobal, MYLC, EMDC