NetScaler AppFirewall Rules Blocks Traffic Even Though Relaxation Rules Added

NetScaler AppFirewall Rules Blocks Traffic Even Though Relaxation Rules Added

book

Article ID: CTX235668

calendar_today

Updated On:

Description

You want to perform CSRF tag validation for a portal where you want to allow the URL https://example.com/ui/s3/abctest.html?v=11.0.0-20170901.1910.f68b2db  and https://example.com/api/v2/org/abctest?limit=500.

You have deployed relaxation rules for the CSRF tag validation under the NetScaler AppFirewall  profile as below:
bind appfw profile APPFW_Profile_portal -CSRFTag "^http://$" "^https://example\\.com/api/v2/org/abctest\\?limit=(\\d{1,4})$" 
>bind appfw profile APPFW_Profile_portal -CSRFTag "^http://$" "^https://example\\.com/ui/s3/abctest\\.html\\?v=(\\d{1,2}\\.\\d{1}\\.\\d{1}\\-\\d{8}\\.\\d{4}\\.[0-9a-z]{7})$" 

While checking the var/ns.log it was found that the NetScaler AppFirewall is blocking the request due to CSRF Tag validation failure:
  • Apr 13 14:33:47 <local0.info> 10.1.1.2 13/04/2018:12:33:47 GMT FDHBENS01 0-PPE-0 : default APPFW APPFW_CSRF_TAG 2188 0 :  1.2.3.4 91897-PPE0 6+DbIGoCsZYc89OWTlzRAc1PQE40000 APPFW_Profile_portal https://example.com/api/v2/org/abctest?limit=500 CSRF Tag validation failed. <blocked>
  • Apr 13 14:33:47 <local0.info> 10.1.1.2 13/04/2018:12:33:47 GMT FDHBENS01 0-PPE-0 : default APPFW APPFW_CSRF_TAG 2190 0 :  1.2.3.4 91898-PPE0 6+DbIGoCsZYc89OWTlzRAc1PQE40000 APPFW_Profile_portal https://example.com/ui/s3/abctest.html?v=11.0.0-20170901.1910.f68b2db CSRF Tag validation failed. <blocked>

Resolution

Always deploy the NetScaler AppFirewall rules from learned data and for CSRF validation do not use/or manually add query string in the rule validation.

Rules deployed from the learnt rules for the same request will be shown as below:
>bind appfw profile APPFW_Profile_portal -CSRFTag "^http://$" "^https://example\\.com/api/v2/org/abctest$" -comment "Deployed from learned data"
>bind appfw profile APPFW_Profile_portal -CSRFTag "^http://$" "^https://example\.com/ui/s3/abctest\\.html$" -comment "Deployed from learned data"

Problem Cause

As per design, NetScaler considers action URL without query for CSRF protections. While deploying, action URL without query has to be used. Also If you deploy it from learned data, you will not see issues relaxations with query parameters as CSRF Tag validation is not supposed to validate the query part.

Adding a query to the relaxation rules manually will cause failure.

Issue/Introduction

NetScaler AppFirewall CSRF tag validation with query is blocking traffic even when the correct query value is configured in relaxation rules.
Powered by Wolken Software