Web Application Firewall : CSRF Tagging blocked

[Zach Sheppard1709161559]

Currently have a DMS corporate system that being protected via NetScaler WAF profile.

 

At present we have thousands of documents within the DMS and instead of learning each and every single url and add to the relaation ruleset, I'd like to look at implementing a generic relaxation rule to catch all/most.

 

the URL in question is similar to below;

 

URL - https://subdomain.domain.com/upload/docs/application/pdf/2017-12/guideoutlook.pdf

Found within Relaxation Rule ^https://subdomain\.domain\.com/upload/docs/application/pdf/2017\-12/guideoutlook\.pdf$

 

I've tried to follow this information found within the Citrix site;

https://docs.citrix.com/en-us/netscaler/12/application-firewall/form-protections/cross-site-request-forgery-check.html

 

Managed to devise this rule, however it doesn't seem to work effectively;

bind appfw profile TEST-Appfw-profile -CSRFTag "^http://$" "^[^?<>]*/upload/docs/application\[^?<>]*$" -comment "Manually deployed"

 

Any ideas on how to get this working would be greatly appreciated.

[Johannes Norz]

I would do something like

 

^https?://subdomain\.domain\.com/upload/docs/application/pdf/20\d\d\-\d\d?/\w+\.pdf$

 

This would allow any access to /upload/docs/application/pdf/20xx-xx/somelettersornumbers.pdf, where xx is any number, so 2000 - 2099, xx? is any number between 0 and 99. Does this help?