Gijs Lemahieu1709159845 Posted January 11, 2023 Share Posted January 11, 2023 Hi, we are currently implementing / finetuning the WAF setup. we are hosting the same website for hundreds of customers, each customer with his own domain. I'm a bit stuck on implementing relaxation rules, define something which always works, regardless the domain of the url. An example of the error I get: CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_XSS|6|src=1.2.3.4 spt=13771 method=POST request=https://domain/Profile/MyProfile msg=Cross-site script check failed for field __eventtarget\="Bad tag: %# => this is blocked and I would like to create a relaxation rule for this. This should ignore the domain part of the url and only look ath the path part so https://customer.domain.net/Profile/MyProfile - field __eventtarget should be allowed https://domaincustomer.com/Profile/MyProfile - field __eventtarget should be allowed in responder policies I can use the variable HTTP.REQ.URL.PATH but can I use something similar in regex expressions in a situation like this? thanks for your help! Gijs. Link to comment
0 CarlStalhood Posted January 11, 2023 Share Posted January 11, 2023 I think the URL supports Regex if you check "Is Name regex" Link to comment
0 Gijs Lemahieu1709159845 Posted January 12, 2023 Author Share Posted January 12, 2023 Hi Carl, thanks for your feedback. I have indeed the option to enable 'is name regex' on the relaxation rule but to be honest, I don't understand what this means (and there is not much available neither). Do you mean I should enable this parameter and configure a regex expression which ignores the domain? If this is the case, I don't know how to write a regex expression for that, as there are hundreds of domains, without any structure (some may contain the character '-', length varies between 10 and 50 characters, ...). In fact I'm only interested in the 'path part'. Could you give a small example (cli is also fine) how I could configure this from where I can start? Thank you very much! Gijs. Link to comment
0 Rhonda Rowland1709152125 Posted January 12, 2023 Share Posted January 12, 2023 On 1/11/2023 at 10:20 AM, Gijs Lemahieu1709159845 said: An example of the error I get: CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_XSS|6|src=1.2.3.4 spt=13771 method=POST request=https://domain/Profile/MyProfile msg=Cross-site script check failed for field __eventtarget\="Bad tag: %# First Cross Site Scripting blocks any field that contains an HTML TAG or ATTRIBUTE that is NOT on the Allowed Tags list. It also blocks any HTML tags in the "denied tags" list. Second, a relaxation exempts that field from protection OR you can set the granular filter to exempt certain patterns while enforcing the rest of the protection. The relaxation is defined by identify the field by name (static) or regex pattern to exempt. Granular exemptions use an additional regex pattern for the value being compared. The default settings for XSS protection is to only evaluate query portions of the URL; if you enable full URL protection then it includes path and query portions. The field to exempt appears to be: eventtarget Usually, you can exempt a field by specifying field name only and without needing to specify an entire URL, so this should avoid the "domain" portion of the URL. The RELAXATION is the field to NOT PROTECT (or to exempt for a specific pattern). So, your issue may just be that you're approaching the configuration differently than expected. There are ways to constructor a URL where the domain portion is ignored; I'm just not certain it applies to your scenario yet. Link to comment
0 Johannes Norz Posted January 17, 2023 Share Posted January 17, 2023 Of course you could also write something like ^https://.*/Profile/MyProfile. This would allow any character in front of /Profile/MyProfile. Rather similar: /Profile/MyProfile. Or, to be more specific, ^https://[\w\.\-]{4,80}/Profile/MyProfile (I usually define a maximum length, 80 should be long enough) Cheers Johannes Norz CCI, CTA, CCE-AppDS Link to comment
0 rajkumar P1709162701 Posted January 29 Share Posted January 29 Dear sir, You can try this one also ^https:\/\/.*\/Profile\/MyProfile$ Regards, Rajkumar M Link to comment
0 Johannes Norz Posted February 21 Share Posted February 21 On 1/29/2024 at 12:46 PM, rajkumar P1709162701 said: Dear sir, You can try this one also ^https:\/\/.*\/Profile\/MyProfile$ Regards, Rajkumar M In NetScaler, you don't need to escape/, as it is Phython RegEX, not (like stated every now and then) Pearl. Link to comment
Question
Gijs Lemahieu1709159845
Hi,
we are currently implementing / finetuning the WAF setup.
we are hosting the same website for hundreds of customers, each customer with his own domain.
I'm a bit stuck on implementing relaxation rules, define something which always works, regardless the domain of the url.
An example of the error I get:
CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_XSS|6|src=1.2.3.4 spt=13771 method=POST request=https://domain/Profile/MyProfile msg=Cross-site script check failed for field __eventtarget\="Bad tag: %#
=> this is blocked and I would like to create a relaxation rule for this.
This should ignore the domain part of the url and only look ath the path part
so
https://customer.domain.net/Profile/MyProfile - field __eventtarget should be allowed
https://domaincustomer.com/Profile/MyProfile - field __eventtarget should be allowed
in responder policies I can use the variable HTTP.REQ.URL.PATH but can I use something similar in regex expressions in a situation like this?
thanks for your help!
Gijs.
Link to comment
6 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now