Buffer overflow check

The Buffer Overflow check detects attempts to cause a buffer overflow on the web server. If the Web App Firewall detects that the URL, cookies, or header are longer than the configured length, it blocks the request because it can cause a buffer overflow.

The Buffer Overflow check prevents attacks against insecure operating-system or web-server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle. Proper programming techniques prevent buffer overflows by checking incoming data and either rejecting or truncating overlong strings. Many programs, however, do not check all incoming data and are therefore vulnerable to buffer overflows. This issue especially affects older versions of web-server software and operating systems, many of which are still in use.

The Buffer Overflow security check allows you to configure theBlock,Log, andStatsactions. In addition, you can also configure the following parameters:

• Maximum URL Length．Web应用程序冷杉的最大长度ewall allows in a requested URL. Requests with longer URLs are blocked.Possible Values: 0–65535.Default: 1024
• Maximum Cookie Length．Web应用程序冷杉的最大长度ewall allows for all cookies in a request. Requests with longer cookies trigger the violations.Possible Values: 0–65535.Default: 4096
• Maximum Header Length．Web应用程序冷杉的最大长度ewall allows for HTTP headers. Requests with longer headers are blocked.Possible Values: 0–65535.Default: 4096
• Query string length．Maximum length allowed for query string in an incoming request. Requests with longer queries are blocked. Possible Values: 0–65535. Default: 1024
• Total request length．Maximum request length allowed for an incoming request. Requests with longer length are blocked. Possible Values: 0–65535. Default: 24820

Using the command line to configure the Buffer Overflow security check

To configure Buffer Overflow security check actions and other parameters by using the command line

At the command prompt, type:

add appfw profile -bufferOverflowMaxURLLength -bufferOverflowMaxHeaderLength - bufferOverflowMaxCookieLength -bufferOverflowMaxQueryLength -bufferOverflowMaxTotalHeaderLength

Example:

add appfw profile profile1 –bufferOverflowMaxURLLength 7000 –bufferOverflowMaxHeaderLength 7250 – bufferOverflowMaxCookieLength 7100 –bufferOverflowMaxQueryLength 7300 –bufferOverflowMaxTotalHeaderLength 7300

Configure buffer overflow security check by using the Citrix ADC GUI

1. Navigate toSecurity>Web App FirewallandProfiles．
2. On theProfilespage, select a profile and clickEdit．
3. On theCitrix Web App Firewall Profilepage, go toAdvanced Settingssection and clickSecurity Checks．
4. InSecurity Checkssection, selectBuffer Overflowand clickAction Settings．
5. In theBuffer Overflow Settingspage, set the following parameters. a. Actions. Select one or more actions to perform for command injection security check. b. Maximum URL Length. Maximum length, in characters, for URLs on your protected websites. Requests with longer URLs are blocked. c. Maximum Cookie Length. Maximum length, in characters, for cookies sent to your protected websites. Requests with longer cookies are blocked. d. Maximum Header Length. Maximum length, in characters, for HTTP headers in requests sent to your protected websites. Requests with longer headers are blocked. e. Maximum Query Length. Maximum length, in bytes, for query string sent to your protected websites. Requests with longer query strings are blocked. f. Maximum Total Header Length. Maximum length, in bytes, for the total HTTP header length in requests sent to your protected websites. The minimum value of this and maxHeaderLen in httpProfile will be used. Requests with longer length are blocked.

6. ClickOKandClose．

   

Using the Log Feature with the Buffer Overflow Security Check

When the log action is enabled, the Buffer Overflow security check violations are logged in the audit log asAPPFW_BUFFEROVERFLOW_URL,APPFW_BUFFEROVERFLOW_COOKIE, andAPPFW_BUFFEROVERFLOW_HDR违规。The Web App Firewall supports both Native and CEF log formats. You can also send the logs to a remote syslog server.

If you use the GUI to review the logs, you can use the click-to-deploy feature to apply relaxations indicated by the logs.

To access the log messages by using the command line

Switch to the shell and tail the ns.logs in the/var/log/folder to access the log messages pertaining to the Buffer overflow violations:

> **Shell** > **tail -f /var/log/ns.log | grep APPFW_BUFFEROVERFLOW** 

Example of a CEF log message showing bufferOverflowMaxCookieLength violation in non-block mode

Oct 22 17:35:20  10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|APPFW|**APPFW_BUFFEROVERFLOW_COOKIE**|6|src=10.217.253.62 geolocation=Unknown spt=41198 method=GET request=http://aaron.stratum8.net/FFC/sc11.html **msg=Cookie header length(43) is greater than maximum allowed(16).** cn1=119 cn2=465 cs1=owa_profile cs2=PPE1 cs3=wvOOOb+cJ2ZRbstZpyeNXIqLj7Y0001 cs4=ALERT cs5=2015 **act=not blocked** 

Example of a CEF log message showing bufferOverflowMaxURLLength violation in non-block mode

Oct 22 18:39:56  10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|APPFW|**APPFW_BUFFEROVERFLOW_URL**|6|src=10.217.253.62 geolocation=Unknown spt=19171 method=GET request=http://aaron.stratum8.net/FFC/sc11.html **msg=URL length(39) is greater than maximum allowed(20).** cn1=707 cn2=402 cs1=owa_profile cs2=PPE0 cs3=kW49GcKbnwKByByi3+jeNzfgWa80000 cs4=ALERT cs5=2015 **act=not blocked** 

一个原生格式日志消息显示缓冲区的例子ferOverflowMaxHeaderLength violation in block mode

Oct 22 18:44:00  10.217.31.98 10/22/2015:18:44:00 GMT ns 0-PPE-2 : default APPFW **APPFW_BUFFEROVERFLOW_HDR** 155 0 : 10.217.253.62 374-PPE2 khhBEeY4DB8V2D3H2sMLkXmfWnA0002 owa_profile **Header(User-Agent) length(82) is greater than maximum allowed(10)** : http://aaron.stratum8.net/ **** 

To access the log messages by using the GUI

The Citrix GUI includes a useful tool (Syslog Viewer) for analyzing the log messages. You have multiple options for accessing the Syslog Viewer:

• Navigate to theApplication Firewall>Profiles, select the target profile, and clickSecurity Checks．Highlight theBuffer Overflowrow and clickLogs．When you access the logs directly from the Buffer Overflow Security Check of the profile, the GUI filters out the log messages and displays only the logs pertaining to these security check violations.

• You can also access the Syslog Viewer by navigating toNetScaler>System>Auditing．In the Audit Messages section, click theSyslog messageslink to display the Syslog Viewer, which displays all log messages, including other security check violation logs. This is useful for debugging when multiple security check violations might be triggered during request processing.

• Navigate toApplication Firewall>policies>Auditing．In theAudit Messagessection, click theSyslog messageslink to display the Syslog Viewer, which displays all log messages, including other security check violation logs.

The XML based Syslog Viewer provides various filter options for selecting only the log messages that are of interest to you. To select log messages for theBuffer Overflowcheck, filter by selectingAPPFWin the drop-down list options forModule．TheEvent Typelist offers three options,APPFW_BUFFEROVERFLOW_URL,APPFW_BUFFEROVERFLOW_COOKIE, and APPFW_BUFFEROVERFLOW_HDR, to view all the log messages pertaining to buffer overflow security check. You can select one or more options to further refine your selection. For example, if you select theAPPFW_BUFFEROVERFLOW_COOKIEcheck box and click theApplybutton, only log messages pertaining to theBuffer Overflow securitycheck violations for the Cookie header appear in the Syslog Viewer. If you place the cursor in the row for a specific log message, multiple options, such asModule,Event Type,Event ID, andClient IP, appear below the log message. You can select any of these options to highlight the corresponding information in the log message.

Click-to-Deploy: The GUI provides click-to-deploy functionality, which is currently supported only for the buffer overflow log messages pertaining to theURL Length违规。你不可以使用Syslog观众啊nly view the triggered violations, but also run informed decisions based on the observed lengths of the blocked messages. If the current value is too restrictive and is triggering false positives, you can select a message and deploy it to replace the current value with the URL length value seen in the message. The log messages must be in CEF log format for this operation. If the relaxation can be deployed for a log message, a check box appears at the right edge of theSyslog Viewerbox in the row. Select the check box, and then select an option from theActionlist to deploy the relaxation.Edit & Deploy,Deploy, andDeploy Allare available asActionoptions. You can use theAPPFW_BUFFEROVERFLOW_URLfilter to isolate all the log messages pertaining to the configured URL length violations.

If you select an individual log message, all three action optionsEdit & Deploy,Deploy, andDeploy Allare available. If you selectEdit & Deploy,Buffer Overflow settingsdialogue is displayed. The new URL length that was observed in the request is inserted into theMaximum URL length inputfield. If you clickClosewithout any edits, the current configured values remain unchanged. If you click theOKbutton, the new value of the Maximum URL length replaces the previous value.

Note

Theblock,logandstatsaction check boxes are unchecked in the displayedBuffer Overflow settingsdialogue, and need to be reconfigured if you select theEdit & Deployoption. Make sure to enable these check boxes before clickingOK, otherwise the new URL length gets configured but the actions are set tonone．

If you select the check boxes for multiple log messages, you can use theDeployorDeploy Alloption. If the deployed log messages have different URL lengths, the configured value gets replaced by the highest URL Length value observed in the selected messages. Deploying the rule results only in changing thebufferOverflowMaxURLLengthvalue. Configured actions are retained and remain unchanged.

To use Click-to-Deploy functionality in the GUI

1. In the Syslog Viewer, selectAPPFWin theModuleoptions.
2. Enable theAPPFW_BUFFEROVERFLOW_URLcheck box as theEvent Typeto filter corresponding log messages.
3. Enable the check box to select the rule.
4. Use theActiondrop-down list of options to deploy the relaxation.
5. Navigate toApplication Firewall>Profiles, select the target profile, and clickSecurity Checksto access theBuffer Overflowsettings pane to verify that theMaximum URL Lengthvalue is updated.

Statistics for the Buffer Overflow violations

When the stats action is enabled, the counter for the Buffer Overflow Security Check is incremented when the Web App Firewall takes any action for this security check. The statistics are collected for Rate and Total count for Traffic, Violations, and Logs. The size of an increment of the log counter can vary depending on the configured settings. For example, if the block action is enabled, a request for a page that contains three Buffer Overflow violations increments the stats counter by one, because the page is blocked when the first violation is detected. However, if block is disabled, processing the same request increments the stat counter for violations because each violation generates a separate log message.

To display Buffer Overflow Security Check statistics by using the command line

At the command prompt, type:

> sh appfw stats

To display stats for a specific profile, use the following command:

> stat appfw profile

To display Buffer Overflow statistics by using the GUI

1. Navigate toSystem>Security>Application Firewall．
2. In the right pane, access theStatisticsLink.
3. Use the scroll bar to view the statistics about Buffer Overflow violations and logs. The statistics table provides real-time data and is updated every 7 seconds.

Highlights

• The buffer overflow security check allows you to configure limits to enforce the maximum length of allowed URLs, Cookies, and Headers.

• Block,LogandStatsactions enable you to monitor the traffic and configure optimal protection for your application.

• Syslog viewer enables you to filter and view all the log messages pertaining to buffer overflow violations.

• Click-to-Deployfunctionality is supported for thebufferOverflowMaxURLLength违规。你可以选择和部署一个个性化l rule, or you can select multiple log messages to tweak and relax the current configured value of the maximum allowed length of the URL. The highest value of the URL from the selected group is set as the new value, to allow all these requests that are currently flagged as violations.

• The Web App Firewall now evaluates individual cookies when inspecting the incoming request. If length of any one cookie received in the Cookie header exceeds the configuredBufferOverflowMaxCookieLength,Buffer Overflow violation is triggered.

Important

在10.5版本。e(在一些临时增强builds prior to 59.13xx.e build) and in the 11.0 release (in builds prior to 65.x), Web App Firewall processing of the Cookie header was changed. In those releases, every cookie is evaluated individually, and if the length of any one cookie received in the Cookie header exceeds the configured BufferOverflowMaxCookieLength, the Buffer Overflow violation is triggered. As a result of this change, requests that were blocked in 10.5 and earlier release builds might be allowed, because the length of the entire cookie header is not calculated for determining the cookie length.**In some situations, the total cookie size forwarded to the server might be larger than the accepted value, and the server might respond with “400 Bad Request”.

This change has been reverted. The behavior in the 10.5.e ->59.13xx.e and subsequent 10.5.e enhancement builds in addition to 11.0 release 65.x and subsequent builds is now similar to that of the non-enhancement builds of release 10.5. The entire raw Cookie header is now considered when calculating the length of the cookie. Surrounding spaces and the semicolon (;) characters separating the name-value pairs are also included in determining the cookie length.