• View Communities
    • Citrix Developer Network
      The place for unfiltered straight talk on Citrix products. Blogs, code downloads, best practices, APIs, and more can all be found here.
    • Citrix Ready Community Verified
      Does it work with Citrix? Application compatibility questions are a thing of the past with the new Citrix Community Verified site.
    • Blogs
      Learn the latest from the Citrix employees who are building application delivery infrastructure technologies.
    • Blogosphere
      The Citrix Blogosphere is a window into the thousands of conversations taking place about Citrix and Application Delivery.
  •  Sign In
The Citrix Blog
Blogs for Sridhar Guthula [ Blogs | Profile ]
Permalink | Twitter Post to Twitter | Comments (0) | Views (1243) |

10 Aug 2009 05:00 PM EDT
Popular XML Libraries Vulnerable to Denial of Service Attacks
[ Tags:  dos xml netscaler firewall application xdos security ,   netscaler ]
posted by Sridhar Guthula

CERT-FI Advisory on XML Libraries

Several vulnerabilities regarding the parsing of XML data have been found in XML library implementations. The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution.

Some of the most popular open source XML libraries are found to be vulnerable. Please refer to http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details of the vulnerabilities and a list of libraries affected.

XML Security in NetScaler

The NetScaler Application Firewall module includes an XML-aware engine that powers specific XML attack protections. In addition to protecting XML-based applications from attack, NetScaler ensures that incoming XML traffic conforms to the appropriate standards (e.g., XML syntax, schema, WSDL validation).

NetScaler XML Security features that protect against the above vulnerabilities include Format Checks and Denial of Service Prevention. Format Checks prevents malformed or not well-formed messages from reaching the server. Denial of Service Prevention thwarts attacks (like large elements, deeply nested messages, etc.) that attempt to exhaust server resources or exploit weakness in the xml parsers and applications on the server.

For a more comprehensive list of XML security features included in Netscaler, click here.

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (7925) |

17 Nov 2008 11:13 PM EST
Advantages of an integrated security solution for HTML and XML
[ Tags:  xml ,   web ,   woa ,   soa ,   rest ,   silverlight ,   flex ,   netscaler ,   security ,   firewall ,   web services ]
posted by Sridhar Guthula

NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.

But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.

As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.      

Useful Links

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (4586) |

15 Nov 2008 12:53 AM EST
What is XML?
[ Tags:  xml ,   faq ,   nonspecific ]
posted by Sridhar Guthula

XML

Extensible Markup Language (XML) is a W3C standard for creating custom markup language to representing structured data in text.

Characteristics of XML

  • Simple and Plain Text
    • Easy to read and understand both for humans and computers
    • Supports "all" platforms and programming languages
    • Supports multi-lingual documents
  • Self-description
    • Meta data in the form of tags and attributes
    • Simplifies tools/programs development
  • Open
    • Widely adopted World Wide Web Consortium (W3C) standard since 1998
  • Extensibility
    • No fixed set of tags. New tags can be created as they are needed.
    • Can express complex messages.


Sample XML

<?xml version="1.0" encoding="UTF-8"?>
<Bio>
     <Name>
        <First> John </First>
        <Last> Smith </Last>
     </Name>
     <Company current="Yes">
         Acme Open Source Software Center
     </Company>
</Bio>


Useful Links

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (8830) |

14 Nov 2008 01:06 PM EST
XML Security Features in Netscaler 9.0
[ Tags:  xml ,   soa ,   woa ,   rest ,   security ,   firewall ,   validation ,   soap ,   xdos ,   netscaler ,   web 2 ,   web services ,   threat protection ,   sql injection ,   denial of service ]
posted by Sridhar Guthula

One of the long awaited new features in NetScaler 9.0 is XML security.  In 2007, Citrix acquired QuickTree, a small privately-held software technology provider on the forefront of addressing the key security and performance challenges of XML, web services and Web 2.0.  With Netscaler 9.0 the XML security capabilities acquired from QuickTree are fully integrated into the Netscaler web application delivery appliance.

Some the XML Security Features available in the new NetScaler release:

Feature

Benefits

Format Checks Prevents malformed or not well-formed messages from reaching the server.
Denial of Service Prevention Thwart attacks (like large elements, deeply nested messages, etc.) that attempt to exhaust server resources or exploit weakness in the xml parsers and applications on the server.
Recursive Expansion Attack Prevention Protects against messages containing recursive entity expansion attacks in their document type definition (DTD).
External Entity Attack Prevention Prevents server from processing data from untrusted sources.
XML Attachment Security Protects against attachments that contain malicious executables and viruses from reaching the server
SQL Injection Check Protects back-end SQL-based database servers and prevents from hackers obtaining information that they were not entitled to obtain
Cross-site Scripting Check Prevents Web 2.0 applications from cross-site scripting attacks
Start URLs Prevent against forceful scanning for services on a server.
Deny URLs Prevents attacks against various known security weaknesses that exist in different web servers
Cookie Consistency Protect sensitive data by preventing hackers from logging in under other user's credentials.
Buffer Overflow Prevents attacks against insecure operating system or web server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle.
Service Obfuscation Protects against service scanning attacks by rewriteing end-point locations to obfuscate the true location of the service.
SOAP Message Validation Ensures only messages that are compliant with the SOAP and WSDL standards reach the server and offloads this validation process from the server.
XML Schema Validation Ensures only messages that are compliant with a given XML Schema reach the server and offloads this validation process from the server.
Web Services Interoperability Checks Performs a wide variety of checks on SOAP messages to ensure that they are compliant with Web Services Interoperability Organization (WS-I) recommendations.
Data Leak Prevention Prevents credit card and other sensitive business data from leaving the organization.
Service Proxy Provides transport level security for all XML and Web Services messages by acting as the SSL proxy.
Rate Limiting Prevents overwhelming the server by limiting the number of requests per second
PCI DSS Report Provides a detailed Payment Card Industry (PCI) Data Security Standard (DSS) report which lists all the relevant PCI DSS criteria
Alerts Via SNMP Alerts a designated person or server when a there is a security violation.
Violation Counters Displays counters for monitoring all violations.
Historic Charts Built-in and customizable charts for viewing historic traffic patterns and violations.
Express Configuration Protects XML applications right out of the box with very little configuration and maintenance
Secures All Flavors of XML Applications With the combination of XML, HTML, and HTTP security features, a single appliance can protect Plain-old-XML (POX), SOAP, REST, Web 2.0, .Net and all other flavors of XML applications.


Expand Blog Post