Jump to content

Please advise the approach to configuring the WAF profile for POST requests with the content type: "application/x-www-form-urlencoded;charset=UTF-8" and form fields containing XML.


Recommended Posts

Hello Manjunath,

Yes, you are right. I would like to understand the recommended approach to configuring Citrix ADC WAF in the case when a POST request generated by an HTML form contains a field with XML data, something like the following:

Form data:

......

id: "XXXX-YYYYY-ZZZZ"

AddFields_List: "<I C='some value1' VI='#SOME ID VALUE' T='Boolean' ..... V='N'> <TI V='N' T='No' /> <TI V='Y' T='Yes' /> </I> ..... <TI V='Yes'/> <TI V='No'/>"

AddF_01: "another value"

.......

In this case the "AddFields_List" form field triggers HTML XSS and Command injection protection mechanisms.

Best regards,

Alex D.

Link to comment
Share on other sites

Hi Alex,

In this case, the submitted XML data is processed as form data. Applying HTML checks will therefore be sufficient to shield it from SQi and command injections.

You might need to implement relaxation rules for the XML tags because they will cause XSS violations when used on form data. 

We cannot apply XML protections on the HTML form data.

Thanks,

Manjunath M

Link to comment
Share on other sites

Hi Manjunath,

Thank you very much for the answers and clarifications provided!

You have confirmed that I have not missed some kind of "silver bullet" approach for this case in the documentation or other articles.

From my side, I could add that the HTML XSS protection engine (at least in version 13.1.42.47) tries to process the XML content of a HTML form field and represent it as a variable set of HTML form fields and tags, so in this case the only way to prevent this is to create an XSS Relaxation Rule for an HTML form field containing XML data.

Thanks one more time for your response!

Take care!

Best regards,

Alex D.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...