Citrix WAF Field Format relaxation issue

[amr fawzy1709157741]

Hello, I am having an issue with an application. Whenever I enable the blocking on Field Format, the Homepage gets an error. When I view the logs, I can see that field that is being blocked. When I Deploy this rule from the Logs and try again, it gets blocked again. I tried to edit the rule to allow any type of character and any length but also got blocked.

 

[Rhonda Rowland1709152125]

First off, for field format do you have a default field format specified or did you leave it with no default field format? 

If a "default field format" is specified, then every field must match that format or be explicitly configured in relaxations. (Usually, a default field format is not specified for this reason).

If no default field format set, then only fields explicitly listed in the field format relaxation are protected and then you need to adjust the regex specified. (or not configure the field at all.)

 

Usually, field format isn't needed unless you have a specific field to enforce with a specific pattern when 1) the app has a specific vulnerabilty and 2) other protections aren't closing the gap.

[Johannes Norz]

This is an URL with a query string. I guess, the query string is different every time you see it. It takes a RegEx to define valid parameters, learning won't help very much..

 

I could create a RegEx for you, however, the screen-shot is a mess, so I can't. I guess, you could cut&paste the log entry here. This would make it easier for me.

Anyway, something like ^https?://support\.its\.ws/arsys/BackChannel?param= would work, but is extremely insecure, as any additional parameters in any size would be permitted.

 

Cheers

 

Johannes Norz

CTA, CCE-Appds, CCI

https://norz.at https://wonderkitchen.network

[amr fawzy1709157741]

Thank you for the answers, I did remove the field format because it was not necessary and replaced it with the other protection features.