Citrix Systems Network Router 9.2 User Manual
Appendix D Tutorial Examples of Classic Policies
255
9.
Globally bind your new policy to put it into effect.
Since you want to ensure that this policy will match all connections to the
shopping cart, and not be preempted by another more general policy, you
should assign a high priority to it. If you assign one (1) as the priority, no
other policy can preempt this one.
shopping cart, and not be preempted by another more general policy, you
should assign a high priority to it. If you assign one (1) as the priority, no
other policy can preempt this one.
Application Firewall Policy to Protect Scripted Web
Pages
Web pages with embedded scripts, especially legacy Javascripts, often violate the
“same origin rule,” which does not allow scripts to access or modify content on
any server but the server where they are located. This security vulnerability is
called cross-site scripting. The Application Firewall Cross-Site Scripting rule
normally filters out requests that contain cross-site scripting.
“same origin rule,” which does not allow scripts to access or modify content on
any server but the server where they are located. This security vulnerability is
called cross-site scripting. The Application Firewall Cross-Site Scripting rule
normally filters out requests that contain cross-site scripting.
Unfortunately, this can cause Web pages with older Javascripts to stop
functioning, even when your system administrator has checked those scripts and
knows that they are safe. The example below explains how to configure the
Application Firewall to allow cross-site scripting in Web pages from trusted
sources without disabling this important filter for the rest of your Web sites.
functioning, even when your system administrator has checked those scripts and
knows that they are safe. The example below explains how to configure the
Application Firewall to allow cross-site scripting in Web pages from trusted
sources without disabling this important filter for the rest of your Web sites.
To protect Web pages with cross-site scripting by using the NetScaler
command line
command line
1.
At the NetScaler command line, to create an advanced profile, type:
add appfw profile pr_xssokay -defaults advanced
2.
To configure the profile, type:
set appfw profile pr_xssokay
-startURLAction NONE
-startURLClosure OFF
-cookieConsistencyAction LEARN LOG STATS
-fieldConsistencyAction LEARN LOG STATS
-crossSiteScriptingAction LEARN LOG STATS$"
3.
Create a policy that detects connections to your scripted Web pages and
applies the pr_xssokay profile, type:
applies the pr_xssokay profile, type:
add appfw policy pol_xssokay "REQ.HTTP.HEADER URL CONTAINS
^\.pl\?$ || REQ.HTTP.HEADER URL CONTAINS ^\.js$" pr_xssokay
4.
Globally bind the policy.