NetScaler Application Firewall 11 blocks file attachment upload and the relaxation rule applied to XSS does not work.

To resolve this issue, navigate to Application Firewall Profile Settings > HTML Settings > enable Exclude Uploaded Files from Security Checks.

Problem Cause

The code has completely changed between 10.1 and 11.0 with addition of streaming feature.

The Citrix Application Firewall now uses request side streaming, which results in a significant performance boost. Instead of buffering the entire request before processing it, the Application Firewall now looks at the incoming data, field by field, to inspect the input of each field for any configured security check violation (SQL, XSS, Field Consistency, Field Formats, and so on). As soon as the processing of the data for a field is completed, it is forwarded to the back-end while the evaluation continues for the remaining fields.

Citrix Documentation - Streaming Support for Request Processing