Citrix ADC

Relaxation and deny rules for handling HTML SQL injection attacks

When there is an incoming traffic, the violation detection logic checks for traffic violations. If no HTML SQL injection attacks are detected, the traffic is allowed to pass. But if a violation is detected, the relaxation (allow) and deny rules define how to handle the violations. If the security check is configured in the allow mode (default mode), the detected violation is blocked unless the user has explicitly configured a relaxation or allow rule.

In addition to allow mode, the security check can also be configured in deny mode and use deny rules for handling violations. If the security check is configured in this mode, the detected violations are blocked if a user has explicitly configured a deny rule. If there are no deny rules configured, then the user configured action is applied.

The following illustration explains how to allow and deny modes of operation work:

Relaxation and deny rules for handling HTML SQL injection attacks

  1. When a violation is detected, the relaxation (allow) and deny rules define how to handle the violations.
  2. If the security check is configured in deny mode (if configured in allow mode, jump to step 5), the violation is blocked unless you have explicitly configured a deny rule.
  3. If the violation matches a deny rule, the appliance blocks the traffic.
  4. If the traffic violation does not match a rule, the appliance applies a user-defined action (block, reset, or drop).
  5. If the security check is configured in allow mode, the Web App Firewall module checks if there are any allow rule configured.
  6. If the violation matches an allow rule, the appliance allows the traffic to bypass otherwise, it is blocked.

Configure security check-in relaxation and enforcement mode

At the command prompt, type:

set appfw profile <name>  –SQLInjectionAction [block stats learn] – SQLInjectionRuleType [ALLOW DENY]

Example:

set appfw profile prof1 sqlInjectionAction block -sqlInjectionRuleType ALLOW DENY

Bind relaxation and enforcement rules to Web Application Firewall profile

At the command prompt, type:

bind appfw profile <name> -SQLInjection <string> <formActionURL>

Example:

bind appfw profile p1 -SQLInjection field_f1 "/login.php" –RuleType ALLOW

bind appfw profile p2 -SQLInjection field_f1 "/login.php" –RuleType ALLOW

Relaxation and deny rules for handling HTML SQL injection attacks