Jump to content
Welcome to our new Citrix community!
  • 0

XML DoS Error Character Data Length - learning


Question

Hello,

 

we are trying to protect our web applications with ADC 13.0 build 79 and audit  them with citrix adm.

On one of our applications adm reports that we have a "XML DoS Error Character Data Length" violation. But i dont see, what is wrong.

If i look inside "XML Denial of Service Learned Rules" all values are under the max value. See image below

image.thumb.png.0cd7ad59158fa98efe1f3f57759ba782.png

 

How can i found out, what is the exact problem?

 

adm violation message

 

image.thumb.png.b44feef00a7b29ec19e993d461201e09.png

 

Link to comment

3 answers to this question

Recommended Posts

  • 0

Look in the syslog of the ADC where the event is firing for the actual appfw log details regarding the violation.

(Or the ADM copy of the syslog for this ADC).

ADM is summarizing the violations; but the appfw syslog events (unless they are being split to their own log) will have the source ip, the violation, and additional violation details so you can tell what/when the violation was triggered.

 

Also, you have several "learned" violations.  The learned rules are events that were outside the allowed limit; so if legitimate traffic they would be blocked and needs to be relaxed to be allowed. If illegitimate traffic they should continue to be blocked. 

 

Regardless you should probably look at the ADC  itself for the appfw violations in syslog and learned rules to inspect the details.

Link to comment
  • 0

Hi, Rhonda,

i take a look into the syslog and found this message

 

May 12 09:40:23 90.153.1.134 2021/05/12:07:40:23 w2rznsdmz1 0-PPE-0 : default APPFW APPFW_XML_DOS_ERR_CHAR_DATA_LENGTH 1176166 0 : 185.14.121.213 2903764-PPE0 - appfw_profile_extranet https://h....n.de/secom/PublicEComService?wsdl XDoS check failed: Exceeds max character data length. Offset:39 <not blocked>

What is the data length of the request? I know, that this is a request, which is ok.

If i look in the learned rules i found this line

    Max Char Data Length    65535    64    

For my understanding, the learned value is 64. The max allowed value is 65535. For this, i assume, we have no problem and i cant understand, why the request was logged.

Link to comment
  • 0

I'm not sure either; unless its the contents of the wsdl.

My *guess* is that if you look at the item referenced in the url path, there is at least one element with too much data in it.

 

I don't know if this check has any other relaxations or exemptions that you can configure, but I would look in the contents of the wsdl to see if anything exceeds expected results.

 

https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/xml-protections/xml-denial-of-service-check.html

Maximum Character Data Length. Restrict the maximum character data length for each element to 65,535. You can modify the length to any value between one (1) and 65,535.

 

But I would follow up with support in case there is a known issue with a specific line item.

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...