The Application Firewall gives you an option to exempt a specific form field, header, or Cookie from SQL Injection inspection check. You can completely bypass the inspection for one or more of these fields by configuring relaxation rules for the SQL Injection check.

The Application Firewall allows you to implement tighter security by fine tuning the relaxation rules. An application might require the flexibility to allow specific patterns, but configuring a relaxation rule to bypass the security inspection might make the application vulnerable to attacks, because the target field is exempted from inspection for any SQL attack patterns. SQL fine grained relaxation provides the option to allow specific patterns and block the rest. For example, the Application Firewall currently has a default set of more than 100 SQL keywords. Because hackers can use these keywords in SQL Injection attacks, the Application Firewall flags them as potential threats. You can relax one or more keyword(s) that are considered safe for the specific location. The rest of the potentially dangerous SQL keywords are still checked for the target location and continue to trigger the security check violations. You now have much tighter control.

The commands used in relaxations have optional parameters for Value Type and Value Expression. You can specify whether the value expression is a regular expression or a literal string. The value type can be left blank or you have an option to select Keyword or SpecialString or WildChar.

Caution! Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write. Make sure that they define exactly the URL that you want to add as an exception, and nothing else. Careless use of wildcards, and especially of the dot-asterisk ( .*) metacharacter/wildcard combination, can have results that you do not want, such as blocking access to web content that you did not intend to block or allowing an attack that the HTML SQL Injection check would otherwise have blocked.

Points to Consider

• Value expression is an optional argument. A field name might not have any value expression.

• A field name can be bound to multiple value expressions.

• Value expressions should be assigned a value type. The SQL value type can be: 1) Keyword, 2) SpecialString, or 3) WildChar.

• You can have multiple relaxation rules per field name/URL combination.

For more information refer to Citrix eDocs - HTML SQL Injection Check.