Web App Firewall

XML external entities (XXE) Attack Protection

The XML external entities (XXE) attack protection examines if an incoming payload has any unauthorized XML input regarding entities outside the trusted domain where the web application resides. The XXE attack occurs if you have a weak XML parser that parses an XML payload with input containing references to external entities.

In a Citrix ADC appliance, if the XML parser is improperly configured, the impact of exploiting the vulnerability can be dangerous. It allows an attacker to read sensitive data on the web server, perform denial of service attack and so forth. Therefore, it is important protect the appliance from XXE attacks. Web Application Firewall is able to protect the appliance from XXE attacks as long as the content-type is identified as XML. To prevent a malicious user from bypassing this protection mechanism, WAF blocks an incoming request if the “inferred” content-type in the HTTP headers does not match with the content-type of the body. This mechanism prevents XXE attack protection bypass when a whitelisted default or non-default content-type is used.

Some of the potential XXE threats that affect a Citrix ADC appliance are:

  • Confidential data leaks
  • Denial-of-service (DOS) attacks
  • server side forgery requests
  • Port scanning

How XML external entities (XXE) protection works

  1. When there is an incoming request, WAF examines the first 512 bytes of the XML payload for any mismatch in the content-type header and the content-type of the payload.
  2. If the content types match, the XML XXE protection is enabled and applied on the HTTP request.
  3. But, if the content-type header does not match with the content-type of the body, the request is blocked, dropped, or logged based on the configured action.
  4. You can enable logging to generate log messages. You can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack.
  5. You can also enable the statistics feature to gather statistical data about violations and logs. An unexpected surge in the stats counter might indicate that your application is under attack.

Configure XML external entities (XXE) injection protection

To configure XML external entities (XXE) check by using the command interface: In the command line interface, you can add or modify the application firewall profile command to configure the XXE settings. You can enable the block, log, and stats actions.

At the command prompt, type:

set appfw profile <name> [-inferContentTypeXmlPayloadAction <inferContentTypeXmlPayloadAction <block | log | stats | none>]

Note:

By default, the XXE action is set as “none.”

Example:

set appfw profile profile1 -inferContentTypeXmlPayloadAction Block

Where, action types are:

Block: The request is blocked without any exception to the urls in the request.

Log: If a mismatch between content-type in an HTTP request header and payload occurs, information about the violating request must be contained in the log message.

Stats: If a mismatch in the content-types is detected, the corresponding statistics for this violation type is incremented.

None: No action is taken if mismatch in content-types is detected. None cannot be combined with any other action type. Default action is set to None.

Configure XXE injection check by using Citrix ADC GUI

Complete the following steps to configure the XXE injection check.

  1. Navigate to Security > Citrix Web App Firewall > Profiles.
  2. On the Profiles page, select a profile and click Edit.
  3. On the Citrix Web App Firewall Profile page, go to the Advanced Settings section and click Security Checks.

    XML external entity check section

  4. In the Security Checks section, select Infer Content Type XML Payload and click Action settings.
  5. In the Infer Content Type XML Payload Settings page, set the following parameters:

    1. Actions. Select one or more actions to perform for XXE injection security check.
  6. Click OK.

    Configuring XML external entity check settings

Viewing XXE injection traffic and violation statistics

The Citrix Web App Firewall Statistics page shows security traffic and security violation details in a tabular or graphical format.

To view security statistics by using the command interface.

At the command prompt, type:

stat appfw profile profile1

Viewing XXE injection statistics by using the Citrix ADC GUI

Complete the following steps to view the XXE injection statistics:

  1. Navigate to Security > Citrix Web App Firewall > Profiles.
  2. In the details pane, select a Web App Firewall profile and click Statistics.
  3. The Citrix Web App Firewall Statistics page displays the XXE command injection traffic and violation details.
  4. You can select Tabular View or switch to Graphical View to display the data in a tabular or graphical format.

XML external entity check violation statistics

XML external entities (XXE) Attack Protection