XML external entities (XXE) Attack Protection
The XML external entities (XXE) attack protection examines if an incoming payload has any unauthorized XML input regarding entities outside the trusted domain where the web application resides. The XXE attack occurs if you have a weak XML parser that parses an XML payload with input containing references to external entities.
In a Citrix ADC appliance, if the XML parser is improperly configured, the impact of exploiting the vulnerability can be dangerous. It allows an attacker to read sensitive data on the web server, perform denial of service attack and so forth. Therefore, it is important protect the appliance from XXE attacks. Web Application Firewall is able to protect the appliance from XXE attacks as long as the content-type is identified as XML. To prevent a malicious user from bypassing this protection mechanism, WAF blocks an incoming request if the “inferred” content-type in the HTTP headers does not match with the content-type of the body. This mechanism prevents XXE attack protection bypass when a whitelisted default or non-default content-type is used.
Some of the potential XXE threats that affect a Citrix ADC appliance are:
- Confidential data leaks
- Denial-of-service (DOS) attacks
- server side forgery requests
- Port scanning
How XML external entities (XXE) protection works
- When there is an incoming request, WAF examines the first 512 bytes of the XML payload for any mismatch in the content-type header and the content-type of the payload.
- If the content types match, the XML XXE protection is enabled and applied on the HTTP request.
- But, if the content-type header does not match with the content-type of the body, the request is blocked, dropped, or logged based on the configured action.
- You can enable logging to generate log messages. You can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack.
- You can also enable the statistics feature to gather statistical data about violations and logs. An unexpected surge in the stats counter might indicate that your application is under attack.
Configure XML external entities (XXE) injection protection
To configure XML external entities (XXE) check by using the command interface: In the command line interface, you can add or modify the application firewall profile command to configure the XXE settings. You can enable the block, log, and stats actions.
At the command prompt, type:
set appfw profile <name> [-inferContentTypeXmlPayloadAction <inferContentTypeXmlPayloadAction <block | log | stats | none>]
Note:
By default, the XXE action is set as “none.”
Example:
set appfw profile profile1 -inferContentTypeXmlPayloadAction Block
Where, action types are:
Block: The request is blocked without any exception to the urls in the request.
Log: If a mismatch between content-type in an HTTP request header and payload occurs, information about the violating request must be contained in the log message.
Stats: If a mismatch in the content-types is detected, the corresponding statistics for this violation type is incremented.
None: No action is taken if mismatch in content-types is detected. None cannot be combined with any other action type. Default action is set to None.
Configure XXE injection check by using Citrix ADC GUI
Complete the following steps to configure the XXE injection check.
- Navigate to Security > Citrix Web App Firewall > Profiles.
- On the Profiles page, select a profile and click Edit.
-
On the Citrix Web App Firewall Profile page, go to the Advanced Settings section and click Security Checks.
- In the Security Checks section, select Infer Content Type XML Payload and click Action settings.
-
In the Infer Content Type XML Payload Settings page, set the following parameters:
- Actions. Select one or more actions to perform for XXE injection security check.
-
Click OK.
Viewing XXE injection traffic and violation statistics
The Citrix Web App Firewall Statistics page shows security traffic and security violation details in a tabular or graphical format.
To view security statistics by using the command interface.
At the command prompt, type:
stat appfw profile profile1
Viewing XXE injection statistics by using the Citrix ADC GUI
Complete the following steps to view the XXE injection statistics:
- Navigate to Security > Citrix Web App Firewall > Profiles.
- In the details pane, select a Web App Firewall profile and click Statistics.
- The Citrix Web App Firewall Statistics page displays the XXE command injection traffic and violation details.
- You can select Tabular View or switch to Graphical View to display the data in a tabular or graphical format.