Citrix ADC

Command injection grammar-based protection for HTML payload

Citrix Web App Firewall uses a pattern match approach for detecting command injection attacks in HTML payloads. The approach uses a set of pre-defined keywords and (or) special characters to detect an attack and flag it as a violation. Although this approach is effective, it can result in many false positives that lead to adding one or more relaxation rules. Especially, when a commonly used word such as “Exit” is used in an HTTP request. We can reduce false positives by implementing the command injection grammar-based protection check for the HTML payload.

In the pattern-match approach, a command injection attack is identified if a pre-defined keyword and (or) a special character is present in an HTTP request. In this case, the statement need not be a valid command injection statement. But in the grammar-based approach, a command injection attack is detected only if a keyword or a special character is present in a command injection statement. Therefore, false-positive scenarios are reduced.

Command injection grammar-based protection usage scenario

Consider a statement, “Rush towards the exit!” present in an HTTP request. Although the statement is not a valid command injection statement, the pattern-match approach detects the request as a command injection attack due to the keyword “exit”. But in the command injection grammar-based approach, the statement is not detected as a violation attack because the keywords are not present in a valid command injection statement.

Configure command injection grammar-based protection parameter using the CLI

To implement command injection grammar-based detection, you must configure the “CMDInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing command injection actions are supported except learning. Any new profile created after an upgrade supports command injection grammar. The new profile continues to have the default type as “special character or keyword” and command injection grammar must be explicitly enabled.

At the command prompt, type:

add appfw profile <profile-name> –CMDInjectionAction <action-name> -CMDInjectionGrammar ON/OFF
<!--NeedCopy-->

Example:

add appfw profile profile1 –CMDInjectionAction Block –CMDInjectionGrammar ON
<!--NeedCopy-->

Configure command injection pattern-match protection and grammar-based protection using the CLI

If you have enabled both grammar-based and pattern-match approaches, then the appliance performs grammar-based detection first. If there is a command injection detected with the action type set to “block”, the request is blocked (without verifying detection using pattern-match).

At the command prompt, type:

add appfw profile <profile-name> –CMDInjectionAction <action-name> -CMDInjectionGrammar ON –CMDInjectionType <Any action other than ‘None’: CMDSplCharANDKeyword/ CMDSplCharORKeyword/ CMDSplChar/ CMDKeyword>
<!--NeedCopy-->

Example:

add appfw profile p1 –CMDInjectionAction block – CMDInjectionGrammar ON –CMDInjectionType CMDSplChar
<!--NeedCopy-->

Configure command injection check only with grammar-based protection using the CLI

At the command prompt, type:

add appfw profile <profile-name> –CMDInjectionAction <action-name> -CMDInjectionGrammar ON –CMDInjectionType None
<!--NeedCopy-->

Example:

add appfw profile p1 –CMDInjectionAction block – CMDInjectionGrammar ON –CMDInjectionType None
<!--NeedCopy-->

Bind relaxation rules for command injection grammar-based protection using the CLI

If your application requires you to bypass the command injection check for a specific “ELEMENT” or “ATTRIBUTE” in the HTML payload, you must configure a relaxation rule.

Note:

Relaxation rules with the valueType as “keyword” are evaluated only when the appliance performs detection using command injection grammar.

The command injection inspection relaxation rules have the following syntax. At the command prompt, type:

bind appfw profile <name> -CMDInjection <String> [isRegex(REGEX| NOTREGE)] <formActionURL> [-location <location>] [-valueType (Keywor|SpecialString|Wildchar) [<valueExpression>][-isValueRegex (REGEX | NOTREGEX) ]]
<!--NeedCopy-->

Example:

bind appfw profile p1 -cmdinjection abc http://10.10.10.10/

bind appfw profile p1 –cmdinjection 'abc[0-9]+' http://10.10.10.10/ -isregex regEX

bind appfw profile p1 –cmdinjection 'name' http://10.10.10.10/ -valueType Keyword 'exi[a-z]+' -isvalueRegex regEX
<!--NeedCopy-->

Configure command injection grammar-based protection using the GUI

Complete the following steps to configure grammar-based HTML command injection detection.

  1. Navigate to Security > Citrix Web App Firewall Profile  > Profiles.

  2. Select a profile and click Edit.

  3. Go to the Advanced Settings section and click Security Checks.

  4. Select the HTML Command Injection check box and click Action Settings.

    Enable command injection

  5. Select the Check using CMD Grammar check box.

  6. Select None from Check Request Containing.

    Command injection action settings

  7. Click OK.