Citrix Systems 9.2 Benutzerhandbuch
252
Citrix NetScaler Policy Configuration and Reference Guide
add ssl policy client_cert_policy
'REQ.SSL.CLIENT.CERT.VALIDFROM >= "Mon, 01 Jan 2008 00:00:00
GMT"' act_block_ssl
3.
Globally bind your new policy to put it into effect.
Since this SSL policy should apply to any user’s SSL connection unless a
more specific SSL policy applies, you may want to assign a large priority
value. For example, if you assign it a priority of one thousand (1000), that
should ensure that other SSL policies are evaluated first, meaning that this
policy will apply only to connections that do not match more specific
policy criteria.
more specific SSL policy applies, you may want to assign a large priority
value. For example, if you assign it a priority of one thousand (1000), that
should ensure that other SSL policies are evaluated first, meaning that this
policy will apply only to connections that do not match more specific
policy criteria.
Application Firewall Policy to Protect a Shopping Cart
Application
Shopping cart applications handle sensitive customer information, for example,
credit card numbers and expiration dates, and they access back-end database
servers. Many shopping cart applications also use legacy CGI scripts, which can
contain security flaws that were unknown at the time they were written, but are
now known to hackers and identity thieves.
credit card numbers and expiration dates, and they access back-end database
servers. Many shopping cart applications also use legacy CGI scripts, which can
contain security flaws that were unknown at the time they were written, but are
now known to hackers and identity thieves.
A shopping cart application is particularly vulnerable to the following attacks:
•
Cookie tampering. If a shopping cart application uses cookies, and does
not perform the appropriate checks on the cookies that users return to the
application, an attacker could modify a cookie and gain access to the
shopping cart application under another user's credentials. Once logged on
as that user, the attacker could obtain sensitive private information about
the legitimate user or place orders using the legitimate user’s account.
not perform the appropriate checks on the cookies that users return to the
application, an attacker could modify a cookie and gain access to the
shopping cart application under another user's credentials. Once logged on
as that user, the attacker could obtain sensitive private information about
the legitimate user or place orders using the legitimate user’s account.
•
SQL injection. A shopping cart application normally accesses a back-end
database server. Unless the application performs the appropriate safety
checks on the data users return in the form fields of its Web forms before it
passes that information on to the SQL database, an attacker can use a Web
form to inject unauthorized SQL commands into the database server.
Attackers normally use this type of attack to obtain sensitive private
information from the database or modify information in the database.
database server. Unless the application performs the appropriate safety
checks on the data users return in the form fields of its Web forms before it
passes that information on to the SQL database, an attacker can use a Web
form to inject unauthorized SQL commands into the database server.
Attackers normally use this type of attack to obtain sensitive private
information from the database or modify information in the database.
The following configuration will protect a shopping cart application against these
and other attacks.
and other attacks.
To protect a shopping cart application by using the configuration utility
1.
In the navigation pane, expand Application Firewall, click Profiles, and
then click Add.
then click Add.