-
-
Command injection grammar-based protection for HTML payload
-
Relaxation and deny rules for handling HTML SQL injection attacks
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Command injection grammar-based protection for HTML payload
NetScaler Web App Firewall uses a pattern match approach for detecting command injection attacks in HTML payloads. The approach uses a set of pre-defined keywords and (or) special characters to detect an attack and flag it as a violation. Although this approach is effective, it can result in many false positives that lead to adding one or more relaxation rules. Especially, when a commonly used word such as “Exit” is used in an HTTP request. We can reduce false positives by implementing the command injection grammar-based protection check for the HTML payload.
In the pattern-match approach, a command injection attack is identified if a pre-defined keyword and (or) a special character is present in an HTTP request. In this case, the statement need not be a valid command injection statement. But in the grammar-based approach, a command injection attack is detected only if a keyword or a special character is present in a command injection statement. Therefore, false-positive scenarios are reduced.
Command injection grammar-based protection usage scenario
Consider a statement, “Rush towards the exit!” present in an HTTP request. Although the statement is not a valid command injection statement, the pattern-match approach detects the request as a command injection attack due to the keyword “exit”. But in the command injection grammar-based approach, the statement is not detected as a violation attack because the keywords are not present in a valid command injection statement.
Configure command injection grammar-based protection parameter using the CLI
To implement command injection grammar-based detection, you must configure the “CMDInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing command injection actions are supported except learning. Any new profile created after an upgrade supports command injection grammar. The new profile continues to have the default type as “special character or keyword” and command injection grammar must be explicitly enabled.
At the command prompt, type:
add appfw profile <profile-name> –CMDInjectionAction <action-name> -CMDInjectionGrammar ON/OFF
<!--NeedCopy-->
Example:
add appfw profile profile1 –CMDInjectionAction Block –CMDInjectionGrammar ON
<!--NeedCopy-->
Configure command injection pattern-match protection and grammar-based protection using the CLI
If you have enabled both grammar-based and pattern-match approaches, then the appliance performs grammar-based detection first. If there is a command injection detected with the action type set to “block”, the request is blocked (without verifying detection using pattern-match).
At the command prompt, type:
add appfw profile <profile-name> –CMDInjectionAction <action-name> -CMDInjectionGrammar ON –CMDInjectionType <Any action other than ‘None’: CMDSplCharANDKeyword/ CMDSplCharORKeyword/ CMDSplChar/ CMDKeyword>
<!--NeedCopy-->
Example:
add appfw profile p1 –CMDInjectionAction block – CMDInjectionGrammar ON –CMDInjectionType CMDSplChar
<!--NeedCopy-->
Configure command injection check only with grammar-based protection using the CLI
At the command prompt, type:
add appfw profile <profile-name> –CMDInjectionAction <action-name> -CMDInjectionGrammar ON –CMDInjectionType None
<!--NeedCopy-->
Example:
add appfw profile p1 –CMDInjectionAction block – CMDInjectionGrammar ON –CMDInjectionType None
<!--NeedCopy-->
Bind relaxation rules for command injection grammar-based protection using the CLI
If your application requires you to bypass the command injection check for a specific “ELEMENT” or “ATTRIBUTE” in the HTML payload, you must configure a relaxation rule.
Note:
Relaxation rules with the valueType as “keyword” are evaluated only when the appliance performs detection using command injection grammar.
The command injection inspection relaxation rules have the following syntax. At the command prompt, type:
bind appfw profile <name> -CMDInjection <String> [isRegex(REGEX| NOTREGE)] <formActionURL> [-location <location>] [-valueType (Keywor|SpecialString|Wildchar) [<valueExpression>][-isValueRegex (REGEX | NOTREGEX) ]]
<!--NeedCopy-->
Example:
bind appfw profile p1 -cmdinjection abc http://10.10.10.10/
bind appfw profile p1 –cmdinjection 'abc[0-9]+' http://10.10.10.10/ -isregex regEX
bind appfw profile p1 –cmdinjection 'name' http://10.10.10.10/ -valueType Keyword 'exi[a-z]+' -isvalueRegex regEX
<!--NeedCopy-->
Configure command injection grammar-based protection using the GUI
Complete the following steps to configure grammar-based HTML command injection detection.
-
Navigate to Security > NetScaler Web App Firewall Profile > Profiles.
-
Select a profile and click Edit.
-
Go to the Advanced Settings section and click Security Checks.
-
Select the HTML Command Injection check box and click Action Settings.
-
Select the Check using CMD Grammar check box.
-
Select None from Check Request Containing.
-
Click OK.
Share
Share
In this article
- Command injection grammar-based protection usage scenario
- Configure command injection grammar-based protection parameter using the CLI
- Configure command injection pattern-match protection and grammar-based protection using the CLI
- Configure command injection check only with grammar-based protection using the CLI
- Bind relaxation rules for command injection grammar-based protection using the CLI
- Configure command injection grammar-based protection using the GUI
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.