ADC

Relaxation and deny rules for handling HTML SQL injection attacks

When there is an incoming traffic, the violation detection logic checks for traffic violations. If no HTML SQL injection attacks are detected, the traffic is allowed to pass. But if a violation is detected, the relaxation (allow) and deny rules define how to handle the violations. If the security check is configured in the allow mode (default mode), the detected violation is blocked unless the user has explicitly configured a relaxation or allow rule.

In addition to allow mode, the security check can also be configured in deny mode and use deny rules for handling violations. If the security check is configured in this mode, the detected violations are blocked if a user has explicitly configured a deny rule. If there are no deny rules configured, then the user configured action is applied.

Note:

By default, the URL is a regular expression.

The following illustration explains how to allow and deny modes of operation work:

Relaxation and deny rules for handling HTML SQL injection attacks

  1. When a violation is detected, the relaxation (allow) and deny rules define how to handle the violations.
  2. If the security check is configured in deny mode (if configured in allow mode, jump to step 5), the violation is blocked unless you have explicitly configured a deny rule.
  3. If the violation matches a deny rule, the appliance blocks the traffic.
  4. If the traffic violation does not match a rule, the appliance applies a user-defined action (block, reset, or drop).
  5. If the security check is configured in allow mode, the Web App Firewall module checks if there are any allow rule configured.
  6. If the violation matches an allow rule, the appliance allows the traffic to bypass otherwise, it is blocked.

Configure security check-in relaxation and enforcement mode using CLI

At the command prompt, type:

set appfw profile <name>  –SQLInjectionAction [block stats learn] – SQLInjectionRuleType [ALLOW DENY]
<!--NeedCopy-->

Example:

set appfw profile prof1 sqlInjectionAction block -sqlInjectionRuleType ALLOW DENY

Configure security check-in relaxation and enforcement mode using GUI

  1. Navigate to Security > NetScaler Web App Firewall and Profiles.
  2. On the Profiles page, select a profile and click Edit.
  3. On the NetScaler Web App Firewall Profile page, go to the Advanced Settings section and click Security Checks.
  4. In the Security Checks section, select HTML SQL Injection Settings and click Action Settings.
  5. On the HTML Command Injection Settings page, select that actions to be performed as part of HTML command injection security check and update the parameters.
  6. Click OK.

Configure relaxation and deny rules for handling HTML SQL injection attacks

Bind relaxation and enforcement rules to Web Application Firewall profile using CLI

At the command prompt, type:

bind appfw profile <name> -SQLInjection <string> <formActionURL>
<!--NeedCopy-->

Example:

bind appfw profile p1 -SQLInjection field_f1 "/login.php" –RuleType ALLOW

bind appfw profile p2 -SQLInjection field_f1 "/login.php" –RuleType ALLOW

Bind relaxation and enforcement rules to Web Application Firewall profile using GUI

  1. Navigate to Security > NetScaler Web App Firewall and Profiles.
  2. On the Profiles page, select a profile and click Edit.
  3. On the NetScaler Web App Firewall Profile page, go to Advanced Settings section and click Relaxation Rules.
  4. In the Relaxation Rule section, select HTML SQL Injection Settings and click Edit.
  5. On the HTML SQL Injection Relaxation Rules page, click Add.
  6. Specify the required details.
  7. Click Create.

Bind relaxation and deny rules for handling HTML SQL injection attacks

Relaxation and deny rules for handling HTML SQL injection attacks