How to relax XSS attack for open bracket character (<) on netscaler

[Namitha]

Hi,

 

I have a text in body filed which gives  XSS attack for following text  "I messaged you about yesterday with the <5mm rectal carcinoid tumor that was found"

Here for <5mm it is  giving XSS attack

 

if I learn and relax 5mm it is  giving every word after 5mm XSS attack

It is not possible to relax each word.

Any better way to relax?

I tried following options which didn't work

 

bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Tag 5mm -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Attribute rectal -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "https://xxx.domain.ca/messaging/sendmessage$" -valueType Attribute carcinoid -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Attribute tumor -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Attribute that -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Attribute was -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Tag "%3C" -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Tag "<5mm" -comment "Deployed from learned data"
bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Attribute "<5mm" -comment "Deployed from learned data"
 

 

Now I get error at found.

concerto/messaging/SendMessage Cross-site script check failed for field body="Bad attribute: found" <blocked>

 

Ideally I don't want to relax each word. Is there a better way to relax < ?

[Jim Grimm1709160134]

I'm not sure there would be any way to work around this. only because the '<' is a defining characteristic in a XSS attack.  I think no matter how you try to exclude or define that character (aside from disabling the XSS checks altogether). any traffic where that character appears would be blocked (which explains why when you relaxed 5mm, it blocked the next word after).

 

https://docs.citrix.com/en-us/netscaler/12/application-firewall/top-level-protections/html-cross-site-scripting-check.html

 

Quote

Important

As part of the streaming changes, the App Firewall processing of the Cross-site Scripting tags has changed. This change is applicable to 11.0 builds onwards. This change is also pertinent for the enhancement builds of 10.5.e that support request side streaming. In earlier releases, presence of either open bracket (<), or close bracket (>), or both open and close brackets (<>) was flagged as Cross-site Scripting Violation. The behavior has changed in the builds that include support for request side streaming. Only the close bracket character (>) is no longer considered as an attack.  Requests are blocked even when an open bracket character (<) is present, and is considered as an attack. The Cross-site scripting attack gets flagged.

 

[Check1 Check2]

I don't think there is any way in which we can relax the symbol <

 

You can either try one of these two options

 

1. Create another policy which will filter the traffic for the url /messaging/sendmessage and apply the profile of appfw_bypass

2. Ask the users to use "less than" instead of the symbol "<"