ADC

XML external entities (XXE) Attack Protection

The XML external entities (XXE) attack protection examines if an incoming payload has any unauthorized XML input regarding entities outside the trusted domain where the web application resides. The XXE attack occurs if you have a weak XML parser that parses an XML payload with input containing references to external entities.

In a NetScaler appliance, if the XML parser is improperly configured, the impact of exploiting the vulnerability can be dangerous. It allows an attacker to read sensitive data on the web server. Perform the denial of service attack and so forth. Therefore, it is important protect the appliance from XXE attacks. Web Application Firewall is able to protect the appliance from XXE attacks as long as the content-type is identified as XML. To prevent a malicious user from bypassing this protection mechanism, WAF blocks an incoming request if the “inferred” content-type in the HTTP headers does not match with the content-type of the body. This mechanism prevents the XXE attack protection bypass when a whitelisted default or non-default content-type is used.

Some of the potential XXE threats that affect a NetScaler appliance are:

  • Confidential data leaks
  • Denial-of-service (DOS) attacks
  • server side forgery requests
  • Port scanning

Configure XML external entities (XXE) injection protection

To configure XML external entities (XXE) check by using the command interface: In the command line interface, you can add or modify the application firewall profile command to configure the XXE settings. You can enable the block, log, and stats actions.

At the command prompt, type:

set appfw profile <name> [-inferContentTypeXmlPayloadAction <inferContentTypeXmlPayloadAction <block | log | stats | none>]

Note:

By default, the XXE action is set as “none.”

Example:

set appfw profile profile1 -inferContentTypeXmlPayloadAction Block

Where, action types are:

Block: The request is blocked without any exception to the urls in the request.

Log: If a mismatch between content-type in an HTTP request header and payload occurs, information about the violating request must be contained in the log message.

Stats: If a mismatch in the content-types is detected, the corresponding statistics for this violation type is incremented.

None: No action is taken if mismatch in content-types is detected. None cannot be combined with any other action type. Default action is set to None.

Configure XXE injection check by using NetScaler GUI

Complete the following steps to configure the XXE injection check.

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. On the Profiles page, select a profile and click Edit.
  3. On the NetScaler Web App Firewall Profile page, go to the Advanced Settings section and click Security Checks.
  4. In the Security Checks section, select Infer Content Type XML Payload and click Action settings.
  5. In the Infer Content Type XML Payload Settings page, set the following parameters:

    1. Actions. Select one or more actions to perform for XXE injection security check.
  6. Click OK.

Viewing XXE injection traffic and violation statistics

The NetScaler Web App Firewall Statistics page shows security traffic and security violation details in a tabular or graphical format.

To view security statistics by using the command interface.

At the command prompt, type:

stat appfw profile profile1

Viewing XXE injection statistics by using the NetScaler GUI

Complete the following steps to view the XXE injection statistics:

  1. Navigate to Security > NetScaler Web App Firewall > Profiles.
  2. In the details pane, select a Web App Firewall profile and click Statistics.
  3. The NetScaler Web App Firewall Statistics page displays the XXE command injection traffic and violation details.
  4. You can select Tabular View or switch to Graphical View to display the data in a tabular or graphical format.
XML external entities (XXE) Attack Protection