Citrix ADC

JSON Cross-Site Scripting protection check

If an incoming JSON payload has a malicious cross-site scripting data, WAF blocks the request. The following procedures explain how you can configure this through CLI and GUI interfaces.

Configure JSON Cross-Site Scripting protection

For configure JSON cross-site scripting protection, you must complete the following steps:

  1. Add application firewall profile as JSON.
  2. Configure JSON cross-site scripting action to block cross-site scripting malicious payload

Add application firewall profile of type JSON

You must first create a profile that specifies how the application firewall must protect your JSON web content from JSON cross-site scripting attack.

At the command prompt, type:

add appfw profile <name> -type (HTML | XML | JSON)

Note:

When you set the profile type as JSON, other checks such as HTML or XML will not applicable.

Example

add appfw profile profile1 –type JSON

Sample output for JSON cross-site scripting violation

JSONcross-site scriptingAction: block log stats
Payload: {"username":"<a href=\"jAvAsCrIpT:alert(1)\">X</a>","password":"xyz"}

Log message: Aug 19 06:57:33 <local0.info> 10.106.102.21 08/19/2019:06:57:33 GMT  0-PPE-0 : default APPFW APPFW_JSON_cross-site scripting 58 0 :  10.102.1.98 12-PPE0 - profjson http://10.106.102.24/ Cross-site script check failed for object value(with violation="Bad URL: jAvAsCrIpT:alert(1)") starting at offset(12). <blocked>

Counters
   1  357000                  1 as_viol_json_xss
   3  0                       1 as_log_json_xss
   5  0                       1 as_viol_json_xss_profile appfw__(profjson)
   7  0                       1 as_log_json_xss_profile appfw__(profjson)

<!--NeedCopy-->

Configure JSON Cross-Site Scripting action

You must configure one or more JSON cross-site scripting actions to protection your application from JSON Cross-Site Scripting attacks. At the command prompt, type:

set appfw profile <name> - JSONcross-site scriptingAction [block] [log] [stats] [none]

Example

set appfw profile profile1 –JSONcross-site scriptingAction block

The available Cross-Site Scripting actions are: Block - Block connections that violate this security check. Log - Log violations of this security check. Stats - Generate statistics for this security check. None - Disable all actions for this security check.

Note: To enable one or more actions, type “set appfw profile - JSONcross-site scriptingAction “ followed by the actions to be enabled.

Example

set appfw profile profile1 -JSONSQLInjectionAction block log stat

Configure JSON Cross Site Scripting (cross-site scripting) protection by using Citrix GUI

Follow the procedure below to set the Cross Site Scripting (cross-site scripting) protection settings.

  1. On the navigation pane, navigate to Security > Profiles.
  2. In the Profiles page, click Add.
  3. In the Citrix Web App Firewall Profile page, click Security Checks under Advanced Settings.
  4. In the Security Checks section, go to JSON Cross-Site Scripting (cross-site scripting) settings.
  5. Click the executable icon near the checkbox.

    JSON cross-site scripting Security Check

  6. Click Action Settings to access the JSON Cross-Site Scripting Settings page.
  7. Select the JSON cross-site scripting actions.
  8. Click OK.

    JSON cross-site scripting Security Check

  9. In the Citrix Web App Firewall Profile page, click Relaxation Rules under Advanced Settings.
  10. In Relaxation Rules section, select JSON Cross-Site Scripting settings and click Edit.

    JSON cross-site scripting Security Check

  11. In the JSON Cross-Site Scripting Relaxation Rule page, click Add to add a JSON Cross-Site Scripting relaxation rule.
  12. Enter the URL to which the request has to be sent. All requests sent to this URL will not be blocked.
  13. Click Create.

    JSON cross-site scripting Security Check

Configure fine grained relaxation for JSON-based cross-site scripting

The Web App Firewall gives you an option to relax a specific JSON key or value from the JSON based cross-site scripting (XSS) inspection check. You can configure multiple options to relax JSON payloads using fine grain relaxation rules. Previously, the only way to configure relaxations for JSON protection checks is to specify the entire URL and that would bypass the verification of the entire URL. The JSON based SQL security protection provides relaxation for the following:

  • Key names
  • Key values

JSON based cross-site scripting (XSS) protection enables you to configure relaxations that allow specific patterns and block the rest. For example, the Web App Firewall currently has a default set of more than 100 SQL keywords. Because hackers can use these keywords in SQL Injection attacks, the Web App Firewall flags all as potential threats. If you want to relax one or more keywords that are considered safe for the specific location, you can configure a relaxation rule that can bypass the security check and block the rest. The commands used in relaxations have optional parameters for Value Type and Value Expression. You can specify whether the value expression is a regular expression or a literal string. The value type can be left blank, or you have an option to select Keyword or Special String.

Note:

Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write. Make sure that they define exactly the URL that you want to add as an exception, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter or wildcard combination, can have results that you do not want, such as blocking access to web content that you did not intend to block or allowing an attack that the JSON SQL Injection check would otherwise have blocked.

Points to Consider

  • Value expression is an optional argument. A field name might not have any value expression.
  • A key name can be bound to multiple value expressions.
  • Value expressions must be assigned a value type. The value types are tag, attribute, and pattern.
  • You can have multiple relaxation rules per key name/URL combination.

Configure JSON fine grain relaxation for cross-site scripting (XSS) injection attacks using command interface

To configure JSON file grain relaxation rule, you must bind the fine grain relaxation entities to the Web App Firewall profile.

At the command prompt, type:

bind appfw profile <profile name> -jsonxssURL <URL> -key <key name> -isregex <REGEX/NOTREGEX> -valueType <keyword/SpecialString> <value Expression> -isvalueRegex <REGEX/NOTREGEX>
<!--NeedCopy-->

Example:

bind appfw profile appprofile1 -jsonxssurl www.example.com -key name  -isRegex NOTREGEX -valueType Tag “sname” -isvalueRegex NOTREGEX
<!--NeedCopy-->

To configure an JSON based cross-site scripting (XSS) Injection fine grain relaxation rule by using the GUI

  1. Navigate to Application Firewall > Profiles, select a profile, and click Edit.
  2. In the Advanced Settings pane, click Relaxation Rules.
  3. In the Relaxation Rules section, select a JSON SQL Injection record and click Edit.
  4. In the JSON Cross-Site Scripting Relaxation Rules slider, click Add.
  5. In the JSON Cross-Site Scripting Relaxation Rule page, set the following parameters.

    1. Enabled
    2. Is Name Regex
    3. Key Name
    4. URL
    5. Value Type
    6. Comments
    7. Resource ID
  6. Click Create.

JSON fine grain relaxation for cross site scripting

JSON Cross-Site Scripting protection check