Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

HTML cross-site scripting check

October 27, 2020
Contributed by:
C S S

The HTML Cross-Site Scripting (XSS) check examines both the headers and the POST bodies of user requests for possible cross-site scripting attacks. If it finds a cross-site script, it either modifies (transforms) the request to render the attack harmless, or blocks the request.

Note:

The HTML Cross-Site Scripting (XSS) check works only for content type, content length, etc. It does not work for cookie. Also ensure to have the ‘checkRequestHeaders’ option enabled in your Web Application Firewall profile.

To prevent misuse of the scripts on your protected web sites to breach security on your web sites, the HTML Cross-Site Scripting check blocks scripts that violate thesame origin rule, which states that scripts should not access or modify content on any server but the server on which they are located. Any script that violates the same origin rule is called a cross-site script, and the practice of using scripts to access or modify content on another server is called cross-site scripting. The reason cross-site scripting is a security issue is that a web server that allows cross-site scripting can be attacked with a script that is not on that web server, but on a different web server, such as one owned and controlled by the attacker.

Unfortunately, many companies have a large installed base of JavaScript-enhanced web content that violates the same origin rule. If you enable the HTML Cross-Site Scripting check on such a site, you have to generate the appropriate exceptions so that the check does not block legitimate activity.

The Web App Firewall offers various action options for implementing HTML Cross-Site Scripting protection. In addition to theBlock,Log,StatsandLearnactions, you also have the option toTransform cross-site scriptsto render an attack harmless by entity encoding the script tags in the submitted request. You can configure Check complete URL’s for cross-site scripting parameter to specify if you want to inspect not just the query parameters but the entire URL to detect XSS attack. You can configureInspectQueryContentTypes parameterto inspect request query portion for XSS attack for the specific content-types.

You can deploy relaxations to avoid false positives. The Web App Firewall learning engine can provide recommendations for configuring relaxation rules.

Following options are available for configuring an optimized HTML Cross-Site Scripting protection for your application:

  • Block—If you enable block, the block action is triggered if the XSS tags are detected in the request.
  • Log如果你启用日志特性,HTML Cross-Site Scripting check generates log messages indicating the actions that it takes. If block is disabled, a separate log message is generated for each header or form field in which the XSS violation was detected. However, only one message is generated when the request is blocked. Similarly, one log message per request is generated for the transform operation, even when XSS tags are transformed in multiple fields. You can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack.
  • Stats—If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that your application is under attack. If legitimate requests are getting blocked, you might have to revisit the configuration to see if you need to configure new relaxation rules or modify the existing ones.
  • Learn—If you are not sure which relaxation rules might be ideally suited for your application, you can use the learn feature to generate HTML Cross-Site Scripting rule recommendations based on the learned data. The Web App Firewall learning engine monitors the traffic and provides learning recommendations based on the observed values. To get optimal benefit without compromising performance, you might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning.
  • Transform cross-site scripts—If enabled, the Web App Firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:
    • Left angle bracket (<) to HTML character entity equivalent (<)
    • Right angle bracket (>) to HTML character entity equivalent (>)

This ensures that browsers do not interpret unsafe html tags, such as