Product Documentation

Protecting JSON Applications using Signatures

Aug 31, 2016

JavaScript Object Notation (JSON) is a text-based open standard derived from the JavaScript scripting language. JSON is preferred for human readable representation of simple data structures and associative arrays, called objects. It serves as an alternative to XML and is primarily used to transmit serialized data structures for communicating with web applications. The JSON files are typically saved with a .json extension.

The JSON payload is typically sent with the MIME type specified as application/json. The other “standard” content types for JSON are:

  • application/x-javascript
  • text/javascript
  • text/x-javascript
  • text/x-json

Using the Citrix Application Firewall Signatures to Protect JSON Applications

To allow JSON requests, the appliance is preconfigured with the JSON content type as shown in the following show-command output:

> sh appfw jsonContentType
1)      JSONContenttypevalue:  "^application/json$" IsRegex:  REGEX
Done

The Citrix application firewall processes the post body for the following content-types only:

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/x-gwt-rpc
The requests that are received with other content-type headers including application/json (or any other allowed content type) are forwarded to the backend after header inspection. The post body in such requests is not inspected for security check violations even when the profile’s security checks such as SQL or XSS are enabled.

In order to protect JSON applications and detect violations, application firewall signatures can be used. All requests that contain the allowed content-type header are processed by the application firewall for signature match. You can add your own customized signature rules to process JSON payload to perform various security check inspections (for example, XSS, SQL, and Field Consistency), to detect violations in the headers as well as the post body, and take specified actions. 

Unlike the other built-in defaults, the preconfigured JSON content type can be edited or removed by using the CLI or the configuration utility (GUI). If legitimate requests for JSON applications are getting blocked and triggering content-type violations, check to make sure that the content type value is configured accurately. For additional details regarding how application firewall processes content-type header, see http://docs.citrix.com/en-us/netscaler/11/security/application-firewall/content-type-protection.html

To add or remove JSON content-type by using the command line interface

At the command prompt, type one of the following commands:

add appfw jsonContentType ^application/json$ IsRegEx REGEX

rm appfw JSONContentType "^application/json$"

To managing JSON content types by using the configuration utility

Navigate to Security > Application Firewall and, in the Settings section, select Manage JSON Content Types.

In the Configure Application Firewall JSON Content Type panel, add, edit, or delete JSON content types to suit the needs of your applications.

Configuring Signature Protection to Detect Attacks in JSON Payload

In addition to a valid JSON content type, you need to configure signatures to specify the pattern(s) that, when detected in a JSON request, indicate a security breach. The specified actions, such as block and log, are taken when an incoming request triggers a match for all the target patterns in the signature rule.

To add a customized signature rule, Citrix recommends that you use the configuration utility. Navigate to System > Security > Application Firewall > Signatures. Double click the target signature object to access the Edit Application Firewall Signatures panel. Click on the Add button to configure the actions, category, log string, rule patterns and so on. Although application firewall inspects all allowed content-type payload for signature match, you can optimize the processing by specifying the JSON expression in the rule. When you Add a new rule pattern, select Expression in the drop-down options for Match and provide the target match expression from your JSON payload to identify the specific requests that need to be inspected. An expression must begin with a TEXT. prefix. You can add other rule patterns to specify additional match patterns to identify the attack.

The following example shows a signature rule. If any cross-site script tag is detected in the POST body of the JSON payload that matches the specified XPATH_JSON expression, a signature match is triggered.

Example of a signature to detect XSS in JSON payload

<SignatureRule actions="log,stats" category="JSON" enabled="ON" id="1000001" severity="" source="" type="" version="1">

  <PatternList>

    <RequestPatterns>

      <Pattern>

        <Location area="HTTP_POST_BODY"/>

        <Match type="Expression">TEXT.XPATH_JSON(xp%/glossary/title%).CONTAINS("example glossary")</Match>

      </Pattern>

      <Pattern>

        <Location area="HTTP_METHOD"/>

        <Match type="LITERAL">POST</Match>

      </Pattern>

      <Pattern>

        <Location area="HTTP_POST_BODY"/>

        <Match type="CrossSiteScripting"/>

       </Pattern>

    </RequestPatterns>

  </PatternList>

  <LogString>Cross-site scripting violation detected in json payload</LogString>

  <Comment/>

</SignatureRule>

Example of the payload

The following payload triggers the signature match, because it includes the cross-site scripting tag <Gotcha!!>.

{"glossary": {"title": "example glossary","GlossDiv": {"title": "S","GlossList": {"GlossEntry": {"ID": "SGML","SortAs": "SGML","GlossTerm": "Standard Generalized Markup Language","Acronym": "SGML","Abbrev": "ISO 8879:1986","GlossDef": {"para": "A meta-markup language, used to create markup languages <Gotcha!!> such as DocBook.","GlossSeeAlso": ["GML", "XML"]},"GlossSee": "markup"}}}}}

Example of the log message

Aug 21 12:21:42 <local0.info> 10.217.31.239 08/21/2015:23:21:42 GMT ns 0-PPE-1 : APPFW APPFW_SIGNATURE_MATCH 1471 0 :  10.217.253.62 990-PPE0 NtJnVMNnvPeQJnaUzXYW/GTvAQsA010 prof1 http://10.217.31.212/FFC/login_post.php Signature violation rule ID 1000001: cross-site scripting violation detected in json payload  <not blocked>

메모

If you send the same payload after removing the cross-site script tag (<Gotcha!!>), the signature rule match is not triggered.   

Highlights:

  • To protect JSON payload, use application firewall signatures to detect XSS, SQL and other violations.
  • Verify that the JSON content type is configured on the appliance as the allowed content type.
  • Make sure that the content type in the payload matches the configured JSON content type.
  • Make sure that all the patterns configured in the signature rule match for the signature violation to be triggered.
  • When you add a signature rule, it MUST have at least one Rule pattern to match the Expression in the JSON payload. All the PI expressions in signature rules must start with the prefix TEXT. and must be Boolean. 
Code 복사