Relaxation and deny rules for handling HTML SQL injection attacks

When there is an incoming traffic, the violation detection logic checks for traffic violations. If no HTML SQL injection attacks are detected, the traffic is allowed to pass. But if a violation is detected, the relaxation (allow) and deny rules define how to handle the violations. If the security check is configured in the allow mode (default mode), the detected violation is blocked unless the user has explicitly configured a relaxation or allow rule.

In addition to allow mode, the security check can also be configured in deny mode and use deny rules for handling violations. If the security check is configured in this mode, the detected violations are blocked if a user has explicitly configured a deny rule. If there are no deny rules configured, then the user configured action is applied.

Note:

By default, the URL is a regular expression.

The following illustration explains how to allow and deny modes of operation work:

1. When a violation is detected, the relaxation (allow) and deny rules define how to handle the violations.
2. If the security check is configured in deny mode (if configured in allow mode, jump to step 5), the violation is blocked unless you have explicitly configured a deny rule.
3. 如果违反规则匹配否认,appliance blocks the traffic.
4. If the traffic violation does not match a rule, the appliance applies a user-defined action (block, reset, or drop).
5. If the security check is configured in allow mode, the Web App Firewall module checks if there are any allow rule configured.
6. If the violation matches an allow rule, the appliance allows the traffic to bypass otherwise, it is blocked.

Configure security check-in relaxation and enforcement mode using CLI

At the command prompt, type:

set appfw profile  –SQLInjectionAction [block stats learn] – SQLInjectionRuleType [ALLOW DENY] 

Example:

set appfw profile prof1 sqlInjectionAction block -sqlInjectionRuleType ALLOW DENY

Configure security check-in relaxation and enforcement mode using GUI

1. Navigate toSecurity > NetScaler Web App FirewallandProfiles.
2. On theProfilespage, select a profile and clickEdit.
3. On theNetScaler Web App Firewall Profilepage, go to theAdvanced Settingssection and clickSecurity Checks.
4. In theSecurity Checkssection, selectHTML SQL Injection Settingsand clickAction Settings.
5. On theHTML Command Injection Settingspage, select that actions to be performed as part of HTML command injection security check and update the parameters.
6. ClickOK.

Bind relaxation and enforcement rules to Web Application Firewall profile using CLI

At the command prompt, type:

bind appfw profile  -SQLInjection   

Example:

bind appfw profile p1 -SQLInjection field_f1 "/login.php" –RuleType ALLOW

bind appfw profile p2 -SQLInjection field_f1 "/login.php" –RuleType ALLOW

Bind relaxation and enforcement rules to Web Application Firewall profile using GUI

1. Navigate toSecurity > NetScaler Web App FirewallandProfiles.
2. On theProfilespage, select a profile and clickEdit.
3. On theNetScaler Web App Firewall Profilepage, go toAdvanced Settingssection and clickRelaxation Rules.
4. In theRelaxation Rulesection, selectHTML SQL Injection Settingsand clickEdit.
5. On theHTML SQL Injection Relaxation Rulespage, clickAdd.
6. Specify the required details.
7. ClickCreate.