- Credit Card Check
- Safe Object Check
If you have an application that accepts credit cards, or your websites have access to database servers that store credit card numbers, you must use Data Leak Prevention (DLP) measures and configure protection for each type of credit card that you accept.
The NetScaler application firewall Credit Card check prevents attackers from exploiting Data Leak Prevention flaws to obtain credit card numbers of your customers. By following simple configuration steps, you can enforce protection of one or more of the following credit cards: 1) Visa, 2) Master Card, 3) Discover, 4) American Express (Amex), 5) JCB, and 6) Diners Club.
The Credit Card security check examines server responses to identify instances of the target credit card numbers, and applies a specified action when such a number is found. The action can be to transform the response by X’ing out all but the last group of digits in the credit card number, or to block the response if it contains more than a specified number of credit card numbers. If you specify both, the block action takes precedence. The Maximum credit cards allowed per page setting determines when the block action is invoked. The default setting, 0 (no credit card numbers allowed on the page), is the safest, but you can allow up to 255. Depending on where the violation is detected in the response and the block action gets triggered, you might get fewer than the maximum allowed number of credit cards in the response.
To avoid false positives, you can apply relaxations to exempt specific numbers from the Credit Card check. For example, a social security number, purchase order number, or Google account number might be similar to a credit card number. You can specify individual numbers or use a regular expression to indicate the string of digits to be bypassed when processing the response URL for credit card inspection.
If you’re not sure which credit card numbers to exempt, you can use the learn feature to generate recommendations based on the learned data. To get optimal benefit without compromising performance, you might want to enable this option for a short time to get a representative sample of the rules, and then deploy the relaxations and disable learning.
If you enable the log feature, the Credit Card check generates log messages indicating the actions that it takes. You can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate thwarted attempts to gain access. By default, the doSecureCreditCardLogging parameter is ON, so the credit card number is not included in the log message generated by the safe commerce (Credit Card) violation.
The stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that your application is under attack.
To configure the Credit Card security check for protecting your application, configure the profile that governs inspecting the traffic to and from this application.
Note: A website that does not access a SQL database usually does not have access to sensitive private information such as credit card numbers.
In the command line interface, you can use either the set appfw profile command or the add appfw profile command to activate credit-card checking and specify which actions to perform. You can use the unset appfw profile command to revert back to the default settings. To specify relaxations, use the bind appfw command to bind credit card numbers to the profile.
To configure a Credit Card check by using the command line
bind appfw profile <profile-name> -creditCardNumber <any number/regex> “<url>”
Example: bind appfw profile test_profile -creditCardNumber 378282246310005 “http://www.example.com/credit_card_test.html”
In the configuration utility, you configure the Credit Card security check in the pane for the profile associated with your application.
The security check table displays the currently configured action settings for all the security checks. You have 2 options for configuration:
After making any of the above changes, click OK to save the changes and return to the Security Checks table. You can proceed to configure other security checks if needed. Click OK to save all the changes you have made in the Security Checks section and then click Save and Close to close the Security Check pane.
Click OK to save the changes.
When the learn action is enabled, the application firewall learning engine monitors the traffic and learns the triggered violations. You can periodically inspect these learned rules. After due consideration, if you want to exempt a specific string of digits from the Credit Card security check, you can by deploy the learned rule as a relaxation rule.
rm appfw learningdata <profilename> -creditcardNumber <credit card number> “<url>”
export appfw learningdata <profilename> creditCardNumber
When the log action is enabled, the Credit Card security check violations are logged in the audit log as APPFW_SAFECOMMERCE or APPFW_SAFECOMMERCE_XFORM violations. The application firewall supports both Native and CEF log formats. You can also send the logs to a remote syslog server.
The default setting for doSecureCreditCardLogging is ON. If you change it to OFF, both credit card number and type are included in the log message.
The HTML based Syslog Viewer provides various filter options for selecting only the log messages that are of interest to you. To access Credit Card security check violation log messages, filter by selecting APPFW in the dropdown options for Module. The Event Type displays a rich set of options to further refine your selection. For example, if you select the APPFW_SAFECOMMERCE and APPFW_SAFECOMMERCE_XFORM check boxes and click the Apply button, only log messages pertaining to the Credit Card security check violations appear in the Syslog Viewer.
If you place the cursor in the row for a specific log message, multiple options, such as Module and EventType, appear below the log message. You can select any of these options to highlight the corresponding information in the logs.
Example of a Native format log message when the response is not blocked
May 29 01:26:31 <local0.info> 10.217.31.98 05/29/2015:01:26:31 GMT ns 0-PPE-0 : default APPFW APPFW_SAFECOMMERCE 2181 0 : 10.217.253.62 1098-PPE0 4erNfkaHy0IeGP+nv2S9Rsdu77I0000 pr_ffc http://aaron.stratum8.net/FFC/CreditCardMind.html Maximum number of potential credit card numbers seen <not blocked>
Example of a CEF format log message when the response is transformed
May 28 23:42:48 <local0.info> 10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SAFECOMMERCE_XFORM|6|src=10.217.253.62 spt=25314 method=GET request=http://aaron.stratum8.net/FFC/CreditCardMind.html msg=Transformed (xout) potential credit card numbers seen in server response cn1=66 cn2=1095 cs1=pr_ffc cs2=PPE2 cs3=xzE7M0g9bovAtG/zLCrLd2zkVl80002 cs4=ALERT cs5=2015 act=transformed
Example of a CEF format log message when the response is blocked. The credit card number and type can be seen in the log, because the doSecureCreditCardLogging parameter is disabled.
May 28 23:42:48 <local0.info> 10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SAFECOMMERCE|6|src=10.217.253.62 spt=25314 method=GET request=http://aaron.stratum8.net/FFC/CreditCardMind.html msg=Credit Card number 4505050504030302 of type Visa is seen in response cn1=68 cn2=1095 cs1=pr_ffc cs2=PPE2 cs3=xzE7M0g9bovAtG/zLCrLd2zkVl80002 cs4=ALERT cs5=2015 act=blocked
When the stats action is enabled, the corresponding counter for the Credit Card check is incremented when the application firewall takes any action for this security check. The statistics are collected for Rate and Total count for Traffic, Violations, and Logs. The increment of the log counter can vary depending on the configured settings. For example, if the block action is enabled and the Max Allowed credit card setting is 0, the request for a page that contains 20 credit card numbers increments the stats counter by one when the page is blocked as soon as the first credit card number is detected. However, if block is disabled and transform is enabled, processing the same request increments the statistics counter for logs by 20, because each credit card transformation generates a separate log message.
sh appfw stats
To display stats for a specific profile, use the following command:
stat appfw profile <profile name>