NetScaler Application Firewall Relaxation Rule for HTML SQL Injection in User-Agent Header Does Not Work

NetScaler Application Firewall Relaxation Rule for HTML SQL Injection in User-Agent Header Does Not Work

book

Article ID: CTX216569

calendar_today

Updated On:

Description

NetScaler Application Firewall relaxation rule for HTML SQL injection in User-Agent header does not work.

The following are the log entries:
Aug 10 15:32:48 10.253.38.129 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SQL|6|src=X.X.7.122 spt=51607 method=GET request=https://example.domain.com/ msg=SQL Keyword check failed for header User-Agent\="..like Gecko(;)" cn1=280349 cn2=245030 cs1=appfw_relativityprod cs2=PPE1 cs3=q+5cOMXdEiFn8CX+gdEl9dnzIl40001 cs4=ALERT cs5=2016 act=blocked

The following are the rules which was used to test. Even the wildcard (.*) rule does not stop the NetScaler from blocking the request:
1) SQLInjection: Content-Type IsRegex: NOTREGEX FormActionURL: "(.*)" Location: HEADER ValueType: Keyword ValueExpression: "(.*)" IsValueRegex: REGEX State: ENABLED
2) SQLInjection: Referer IsRegex: NOTREGEX FormActionURL: "(.*)" Location: HEADER ValueType: Keyword ValueExpression: "(.*)" IsValueRegex: REGEX State: ENABLED
3) SQLInjection: "Accept(.*)" IsRegex: REGEX FormActionURL: "(.*)" Location: HEADER ValueType: Keyword ValueExpression: "(.*)" IsValueRegex: REGEX State: ENABLED
4) SQLInjection: User-Agent IsRegex: NOTREGEX FormActionURL: "(.*)" Location: HEADER ValueType: Keyword ValueExpression: "(.*)" IsValueRegex: REGEX State: ENABLED
5) SQLInjection: ".*" IsRegex: REGEX FormActionURL: ".*" Location: HEADER ValueType: Keyword ValueExpression: ".*" IsValueRegex: REGEX State: ENABLED bind appfw profile appfw_relativityprod -SQLInjection Content-Type "(.*)" -location HEADER -valueType Keyword "(.*)" -isValueRegex REGEX bind appfw profile appfw_relativityprod -SQLInjection Referer "(.*)" -location HEADER -valueType Keyword "(.*)" -isValueRegex REGEX bind appfw profile appfw_relativityprod -SQLInjection "Accept(.*)" "(.*)" -isRegex REGEX -location HEADER -valueType Keyword "(.*)" -isValueRegex REGEX bind appfw profile appfw_relativityprod -SQLInjection User-Agent "(.*)" -location HEADER -valueType Keyword "(.*)" -isValueRegex REGEX -comment "Deployed from learned data" bind appfw profile appfw_relativityprod -SQLInjection ".*" ".*" -isRegex REGEX -location HEADER -valueType Keyword ".*" -isValueRegex REGEX

Resolution

The SQL Keyword Check failed for User-Agent since it found the keyword “like".

You can add the following relaxation rule to resolve this issue:
Name : User-Agent.
url : ^.*$
Location : HEADER.

Issue/Introduction

NetScaler Application Firewall relaxation rule for HTML SQL injection in User-Agent header does not work.

Additional Information

Citrix Documentation - https://docs.citrix.com/en-us/netscaler/11-1/application-firewall/top-level-protections/html-sql-injection-check.html

Powered by Wolken Software