Protecting JSON applications using signatures

JavaScript Object Notation (JSON) is a text-based open standard derived from the JavaScript scripting language. JSON is preferred for human readable representation of simple data structures and associative arrays, called objects. It serves as an alternative to XML and is primarily used to transmit serialized data structures for communicating with web applications. The JSON files are typically saved with a .json extension.

The JSON payload is typically sent with the MIME type specified asapplication/json. The other “standard” content types for JSON are:

• application/x-javascript
• text/javascript
• text/x-javascript
• text/x-json

Using the Citrix Web App Firewall signatures to protect JSON applications

To allow JSON requests, the appliance is preconfigured with the JSON content type as shown in the following show-command output:

> sh appfw jsonContentType 1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX Done 

The Citrix Web App Firewall processes the post body for the following content-types only:

• application/x-www-form-urlencoded
• multipart/form-data
• 文本/ x-gwt-rpc

The requests that are received with other content-type headers including application/json (or any other allowed content type) are forwarded to the backend after header inspection. The post body in such requests is not inspected for security check violations even when the profile’s security checks such as SQL or XSS are enabled.

In order to protect JSON applications and detect violations, Web App Firewall signatures can be used. All requests that contain the allowed content-type header are processed by the Web App Firewall for signature match. You can add your own customized signature rules to process JSON payload to perform various security check inspections (for example, XSS, SQL, and Field Consistency), to detect violations in the headers as well as the post body, and take specified actions.

Tip

Unlike the other built-in defaults, the preconfigured JSON content type can be edited or removed by using the CLI or the GUI (GUI). If legitimate requests for JSON applications are getting blocked and triggering content-type violations, check to make sure that the content type value is configured accurately. For additional details regarding how Web App Firewall processes content-type header, seeContent type protection

To add or remove JSON content-type by using the command line interface

At the command prompt, type one of the following commands:

add appfw jsonContentType ^application/json$ IsRegEx REGEX

rm appfw JSONContentType "^application/json$"

To managing JSON content types by using the GUI

Navigate toSecurity>Web App Firewalland, in theSettingssection, select米anage JSON Content Types.

In theConfigure Web App Firewall JSON Content Typepanel, add, edit, or delete JSON content types to suit the needs of your applications.

Configuring signature protection to detect attacks in JSON payload

In addition to a valid JSON content type, you need to configure signatures to specify the pattern(s) that, when detected in a JSON request, indicate a security breach. The specified actions, such as block and log, are taken when an incoming request triggers a match for all the target patterns in the signature rule.

To add a customized signature rule, Citrix recommends that you use the GUI. Navigate toSystem>Security>Web App Firewall>团体natures. Double click the target signature object to access theEdit Web App Firewall Signaturespanel. Click on theAddbutton to configure the actions, category, log string, rule patterns and so on. Although Web App Firewall inspects all allowed content-type payload for signature match, you can optimize the processing by specifying the JSON expression in the rule. When youAdda new rule pattern, selectExpressionin the drop-down options for米atchand provide the target match expression from your JSON payload to identify the specific requests that need to be inspected. An expression must begin with aTEXT.prefix. You can add other rule patterns to specify additional match patterns to identify the attack.

The following example shows a signature rule. If any cross-site script tag is detected in the POST body of the JSON payload that matches the specified XPATH_JSON expression, a signature match is triggered.

Example of a signature to detect XSS in JSON payload

     TEXT.XPATH_JSON(xp%/glossary/title%).CONTAINS("example glossary")    POST        Cross-site scripting violation detected in json payload   

Example of the payload

The following payload triggers the signature match, because it includes the cross-site scripting tag.

{"glossary": {"title": "example glossary","GlossDiv": {"title": "S","GlossList": {"GlossEntry": {"ID": "SGML","SortAs": "SGML","GlossTerm": "Standard Generalized Markup Language","Acronym": "SGML","Abbrev": "ISO 8879:1986","GlossDef": {"para": "A meta-markup language, used to create markup languages **** such as DocBook.","GlossSeeAlso": ["GML", "XML"]},"GlossSee": "markup"}}}}} 

Example of the log message

Aug 21 12:21:42  10.217.31.239 08/21/2015:23:21:42 GMT ns 0-PPE-1 : APPFW APPFW_SIGNATURE_MATCH 1471 0 : 10.217.253.62 990-PPE0 NtJnVMNnvPeQJnaUzXYW/GTvAQsA010 prof1 http://10.217.31.212/FFC/login_post.php Signature violation rule ID 1000001: cross-site scripting violation detected in json payload  

Note

If you send the same payload after removing the cross-site script tag (), the signature rule match is not triggered.

Highlights

• To protect JSON payload, use Web App Firewall signatures to detect XSS, SQL and other violations.
• Verify that the JSON content type is configured on the appliance as the allowed content type.
• 米ake sure that the content type in the payload matches the configured JSON content type.
• 米ake sure that all the patterns configured in the signature rule match for the signature violation to be triggered.
• When you add a signature rule, it MUST have at least one Rule pattern to match the Expression in the JSON payload. All the PI expressions in signature rules must start with the prefix TEXT. and must be Boolean.

Protect application or JSON content-type with SQL and XSS encoded payload using policies and signatures

Citrix Web App Firewall can protect application or JSON content type using policies and signatures.

Inspect application or JSON content type for SQL injection using policies

You must add the following policies and bind it to virtual server globally for supporting SQL injection.

添加appfw策略sqli_1 HTTP.REQ.BODY .SET_T (10000)EXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#(((\\A)|(?<=[^a-zA-Z0-9_])))(select|insert|delete|update|drop|create|alter|grant|revoke|commit|rollback|shutdown|union|intersect|minus|case|decode|where|group|begin|join|exists|distinct|add|modify|constraint|null|like|exec|execute|char|or|and|sp_sdidebug)(( Z)|(?=[^a-zA-Z0-9_]))#) APPFW_BLOCK

add appfw policy sqli_2 HTTP.REQ.BODY(10000).SET_TEXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#((\\A)|(?<=[^a-zA-Z0-9_]))(xp_availablemedia|xp_cmdshell|xp_deletemail|xp_dirtree|xp_dropwebtask|xp_dsninfo|xp_enumdsn|xp_enumerrorlogs|xp_enumgroups|xp_enumqueuedtasks|xp_eventlog|xp_findnextmsg|xp_fixeddrives|xp_getfiledetails|xp_getnetname|xp_grantlogin|xp_logevent|xp_loginconfig|xp_logininfo|xp_makewebtask|xp_msver|xp_regread|xp_perfend|xp_perfmonitor|xp_perfsample|xp_perfstart|xp_readerrorlog|xp_readmail|xp_revokelogin|xp_runwebtask|xp_schedulersignal|xp_sendmail|xp_servicecontrol|xp_snmp_getstate|xp_snmp_raisetrap|xp_sprintf|xp_sqlinventory|xp_sqlregister|xp_sqltrace|xp_sscanf|xp_startmail|xp_stopmail|xp_subdirs|xp_unc_to_drive)(( Z)|(?=[^a-zA-Z0-9_]))#) APPFW_BLOCK

add appfw policy sqli_3 HTTP.REQ.BODY(10000).SET_TEXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#((\\A)|(?<=[^a-zA-Z0-9_]))(sysobjects|syscolumns|MSysACEs|MSysObjects|MSysQueries|MSysRelationships)(( Z)|(?=[^a-zA-Z0-9_]))#) APPFW_BLOCK

add appfw policy sqli_4 HTTP.REQ.BODY(10000).SET_TEXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#((\\A)|(?<=[^a-zA-Z0-9_]))(SYS\.USER_OBJECTS|SYS\.TAB|SYS\.USER_TABLES|SYS\.USER_VIEWS|SYS\.ALL_TABLES|SYS\.USER_TAB_COLUMNS|SYS\.USER_CONSTRAINTS|SYS\.USER_TRIGGERS|SYS\.USER_CATALOG|SYS\.ALL_CATALOG|SYS\.ALL_CONSTRAINTS|SYS\.ALL_OBJECTS|SYS\.ALL_TAB_COLUMNS|SYS\.ALL_TAB_PRIVS|SYS\.ALL_TRIGGERS|SYS\.ALL_USERS|SYS\.ALL_VIEWS|SYS\.USER_ROLE_PRIVS|SYS\.USER_SYS_PRIVS|SYS\.USER_TAB_PRIVS)(( Z)|(?=[^a-zA-Z0-9_]))#) APPFW_BLOCK

Inspect application or JSON content type using signatures

You can add the following signature rules to the signature object in the application firewall profile to support SQL injection for JSON content-type.

Note:

Post body signatures are cpu-intensive.

< ?xml version = " 1.0 " encoding = " utf - 8 " ?> < !——Copyright 2013-2018 Citrix Systems, Inc. All rights reserved. -->        TEXT.SET_TEXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#(((\\A)|(?<=[^a-zA-Z0-9_])))(select|insert|delete|update|drop|create|alter|grant|revoke|commit|rollback|shutdown|union|intersect|minus|case|decode|where|group|begin|join|exists|distinct|add|modify|constraint|null|like|exec|execute|char|or|and|sp_sdidebug)(( Z)|(?=[^a-zA-Z0-9_]))#)    T    sql Injection        TEXT.SET_TEXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#((\\A)|(?<=[^a-zA-Z0-9_]))(xp_availablemedia|xp_cmdshell|xp_deletemail|xp_dirtree|xp_dropwebtask|xp_dsninfo|xp_enumdsn|xp_enumerrorlogs|xp_enumgroups|xp_enumqueuedtasks|xp_eventlog|xp_findnextmsg|xp_fixeddrives|xp_getfiledetails|xp_getnetname|xp_grantlogin|xp_logevent|xp_loginconfig|xp_logininfo|xp_makewebtask|xp_msver|xp_regread|xp_perfend|xp_perfmonitor|xp_perfsample|xp_perfstart|xp_readerrorlog|xp_readmail|xp_revokelogin|xp_runwebtask|xp_schedulersignal|xp_sendmail|xp_servicecontrol|xp_snmp_getstate|xp_snmp_raisetrap|xp_sprintf|xp_sqlinventory|xp_sqlregister|xp_sqltrace|xp_sscanf|xp_startmail|xp_stopmail|xp_subdirs|xp_unc_to_drive)(( Z)|(?=[^a-zA-Z0-9_]))#)    T    sql Injection        TEXT.SET_TEXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#((\\A)|(?<=[^a-zA-Z0-9_]))(sysobjects|syscolumns|MSysACEs|MSysObjects|MSysQueries|MSysRelationships)(( Z)|(?=[^a-zA-Z0-9_]))#)    T    sql Injection        TEXT.SET_TEXT_MODE(IGNORECASE).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.REGEX_MATCH(re#((\\A)|(?<=[^a-zA-Z0-9_]))(SYS\.USER_OBJECTS|SYS\.TAB|SYS\.USER_TABLES|SYS\.USER_VIEWS|SYS\.ALL_TABLES|SYS\.USER_TAB_COLUMNS|SYS\.USER_CONSTRAINTS|SYS\.USER_TRIGGERS|SYS\.USER_CATALOG|SYS\.ALL_CATALOG|SYS\.ALL_CONSTRAINTS|SYS\.ALL_OBJECTS|SYS\.ALL_TAB_COLUMNS|SYS\.ALL_TAB_PRIVS|SYS\.ALL_TRIGGERS|SYS\.ALL_USERS|SYS\.ALL_VIEWS|SYS\.USER_ROLE_PRIVS|SYS\.USER_SYS_PRIVS|SYS\.USER_TAB_PRIVS)(( Z)|(?=[^a-zA-Z0-9_]))#)    T    sql Injection