relaxation - html xss - ignore domain and permit based on path

[Gijs Lemahieu1709159845]

Hi,

 

we are currently implementing / finetuning the WAF setup.

we are hosting the same website for hundreds of customers, each customer with his own domain.

 

I'm a bit stuck on implementing relaxation rules, define something which always works, regardless the domain of the url.

 

An example of the error I get:

CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_XSS|6|src=1.2.3.4 spt=13771 method=POST request=https://domain/Profile/MyProfile msg=Cross-site script check failed for field __eventtarget\="Bad tag: %# 

=> this is blocked and I would like to create a relaxation rule for this.

This should ignore the domain part of the url and only look ath the path part

so

https://customer.domain.net/Profile/MyProfile - field __eventtarget should be allowed

https://domaincustomer.com/Profile/MyProfile - field __eventtarget should be allowed

 

in responder policies I can use the variable HTTP.REQ.URL.PATH but can I use something similar in regex expressions in a situation like this?

 

thanks for your help!

 

Gijs.

[CarlStalhood]

I think the URL supports Regex if you check "Is Name regex"

[Gijs Lemahieu1709159845]

Hi Carl,

 

thanks for your feedback. I have indeed the option to enable 'is name regex' on the relaxation rule but to be honest, I don't understand what this means (and there is not much available neither).

Do you mean I should enable this parameter and configure a regex expression which ignores the domain? If this is the case, I don't know how to write a regex expression for that, as there are hundreds of domains, without any structure (some may contain the character '-', length varies between 10 and 50 characters, ...). 

In fact I'm only interested in the 'path part'.

 

Could you give a small example (cli is also fine) how I could configure this from where I can start?

 

Thank you very much!

 

Gijs.

[Rhonda Rowland1709152125]

On 1/11/2023 at 10:20 AM, Gijs Lemahieu1709159845 said:

An example of the error I get:

CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_XSS|6|src=1.2.3.4 spt=13771 method=POST request=https://domain/Profile/MyProfile msg=Cross-site script check failed for field __eventtarget\="Bad tag: %# 

 

First Cross Site Scripting blocks any field that contains an HTML TAG or ATTRIBUTE that is NOT on the Allowed Tags list. It also blocks any HTML tags in the "denied tags" list.

Second, a relaxation exempts that field from protection OR you can set the granular filter to exempt certain patterns while enforcing the rest of the protection.  The relaxation is defined by identify the field by name (static) or regex pattern to exempt.  Granular exemptions use an additional regex pattern for the value being compared.

The default settings for XSS protection is to only evaluate query portions of the URL; if you enable full URL protection then it includes path and query portions.

 

The field to exempt appears to be:  eventtarget

Usually, you can exempt a field by specifying field name only and without needing to specify an entire URL, so this should avoid the "domain" portion of the URL.

The RELAXATION is the field to NOT PROTECT (or to exempt for a specific pattern).  

 

So, your issue may just be that you're approaching the configuration differently than expected. 

There are ways to constructor a URL where the domain portion is ignored; I'm just not certain it applies to your scenario yet.

 

 

 

 

[Johannes Norz]

Of course you could also write something like ^https://.*/Profile/MyProfile. This would allow any character in front of /Profile/MyProfile. Rather similar: /Profile/MyProfile. Or, to be more specific, ^https://[\w\.\-]{4,80}/Profile/MyProfile (I usually define a maximum length, 80 should be long enough)

 

Cheers

 

Johannes Norz

CCI, CTA, CCE-AppDS

[rajkumar P1709162701]

Dear sir,

 

You can try this one  also ^https:\/\/.*\/Profile\/MyProfile$

 

Regards,

Rajkumar M

 

[Johannes Norz]

On 1/29/2024 at 12:46 PM, rajkumar P1709162701 said:

Dear sir,

 

You can try this one  also ^https:\/\/.*\/Profile\/MyProfile$

 

Regards,

Rajkumar M

 

In NetScaler, you don't need to escape/, as it is Phython RegEX, not (like stated every now and then) Pearl.