NetScaler Application Firewall and the OWASP Top Ten – 2013

NetScaler Application Firewall and theOWASP Top Ten – 2013IntroductionThe Open Web Application Security Project (OWASP; http://www.owasp.org) released the OWASP Top 10 for2013 for web application security. This list documents the most common web application vulnerabilities and isa great starting point to evaluate web security. Here we detail how to configure the NetScaler ApplicationFirewall to mitigate these flaws. Application Firewall is available as an integrated module in the NetScalerApplication Delivery Controller (Platinum Edition) as well as a complete range of appliances.The full OWASP Top 10 document is available at http://www.owasp.org/index.php/OWASP_Top_Ten_Project.OWASP Top-10 2013NetScaler FeaturesA1- Injection Injection attack prevention (SQL or any othercustom injections such as OS Commandinjection, XPath injection, and LDAPInjection), auto update signature featureA2 - Broken Authentication and SessionManagementA3 - Cross Site Scripting (XSS)AAA, Cookie Tampering protection, CookieProxying, Cookie Encryption, CSRF tagging,Use SSLXSS Attack Prevention, Blocks all OWASP XSScheat sheet attacksPage 1

A4 - Insecure Direct Object ReferencesA5 - Security MisconfigurationA6 - Sensitive Data ExposureA7 - Missing Function Level Access ControlA8 - Cross Site Request ForgeryA9 - Using Components with knownVulnerabilitiesA10 - Unvalidated Redirects and ForwardsStartURL checks, AAA, Form protections, andCookie tampering protectionsPCI reports, SSL features, Signaturegeneration from vulnerability scan reportssuch as Ceznic, Qualys , and Whitehat.Additionally, very specific protections such asCookie encryption, proxying, and tampering.Credit Card protection, Safe Commerce,Cookie proxying, and Cookie EncryptionAuthorization security feature within AAAmodule of NetScaler, StartURL, andClosureURLCSRF form tagging, Referer header validationVulnerability scan reports, ApplicationFirewall Templates, and Custom SignaturesProtections by policy control, field formatprotection configurationA1 - InjectionInjection flaws such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as partof a command or query. The attacker’s hostile data can trick the interpreter into executing unintendedcommands or accessing data without proper authorization.NetScaler Protection●●●●●SQL Injection prevention feature protects against common injection attacks. Custom injection patternscan be uploaded to protect against any type of injection attack including XPath and LDAP. This isapplicable for both HTML and XML payloads.The auto update signature feature keeps the injection signatures up to date.Field format protection feature allows the administrator to restrict any user parameter to a regularexpression. For instance, you can enforce that a zip-code field contains integers only or even 5-digitintegers.Form field consistency: Validate each submitted user form against the user session form signature toensure validity of all form elements.Buffer overflow checks ensure that the URL, headers, and cookies are in the right limits blocking anyattempts to inject large scripts or code.Page 2

A2 - Broken Authentication and Session ManagementApplication functions related to authentication and session management are often not implemented correctly,allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementationflaws to assume other users’ identities.NetScaler Protections●●●NetScaler AAA module performs user authentication and provides Single Sign-On functionality tobackend applications. This is integrated into NetScaler AppExpert policy engine to allow custompolicies based on user and group information.Additionally, using the Cookie tampering protection feature, session ID commonly stored in cookiescan be protected. Using SSL offloading and URL transformation capabilities, the firewall can also helpsites to use secure transport layer protocols to prevent stealing of session tokens by network sniffing.Cookie Proxying and Cookie Encryption can be employed to completely mitigate cookie stealing andhence securing the session.A3 - Cross Site Scripting ( XSS )XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without propervalidation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack usersessions, deface web sites, or redirect the user to malicious sites.NetScaler Protections●●●●XSS protection protects against common XSS attacks. Custom XSS patterns can be uploaded to modifythe default list of allowed tags and attributes. The NetScaler Application Firewall uses a white list ofallowed HTML attributes and tags to detect XSS attacks. This is applicable for both HTML and XMLpayloads.NetScaler Application Firewall blocks all the attacks listed in OWASP XSS Filter Evaluation Cheat Sheet.Field format check prevents an attacker from sending inappropriate web form data which can be apotential XSS attack.Form field consistency.A4 - Insecure Direct Object ReferencesA direct object reference occurs when a developer exposes a reference to an internal implementation objectsuch as a file, directory, or database key. Without an access control check or other protection, attackers canmanipulate these references to access unauthorized data.Page 3

NetScaler Protections●●●●Start URL check with URL closure: Allows user access to a predefined white list of URLs. URL closurebuilds a list of all URLs seen in valid responses during the user session and automatically allows accessto them during that session.AAA feature that supports authentication, authorization, and auditing for all application traffic allows asite administrator to manage access controls with the NetScaler appliance.Form field consistency: If object references are stored as hidden fields in forms, then using form fieldconsistency you can validate that these fields are not tampered on subsequent requests.Cookie Proxying and Cookie consistency: Object references that are stored in cookie values can bevalidated with these protections.A5 - Security MisconfigurationGood security requires having a secure configuration defined and deployed for the application, frameworks,application server, web server, database server, and platform. Secure settings should be defined,implemented, and maintained as defaults are often insecure. Additionally, software should be kept up to date.NetScaler Protections●●●The PCI-DSS report generated by the Application Firewall, documents the security settings on theFirewall device.Reports from the scanning tools are converted to NetScaler Signatures to handle securitymisconfigurations.NetScaler Application Firewall supports Cenzic, IBM AppScan (Enterprise and Standard), Qualys,TrendMicro, WhiteHat, and custom vulnerability scan reports.A6 - Sensitive Data ExposureMany web applications do not properly protect sensitive data such as credit cards, tax IDs, and authenticationcredentials. Attackers might steal or modify such weakly protected data to conduct credit card fraud, identitytheft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as wellas special precautions when exchanged with the browser.NetScaler Protection●●●Application Firewall protects applications from leaking sensitive data like credit card details.Sensitive data can be configured as Safe objects in Safe Commerce protection to avoid exposure.Any sensitive data in cookies can be protected by Cookie Proxying and Cookie Encryption.Page 4

A7 - Missing Function Level Access ControlMost web applications verify function level access rights before making that functionality visible in the UserInterface (UI). However, applications need to perform the same access control checks on the server when eachfunction is accessed. If requests are not verified, then attackers will be able to forge requests to accessfunctionality without proper authorization.NetScaler Protections●●The Authorization security feature within AAA module of NetScaler appliance enables the appliance toverify, which content on a protected server it should allow each user to access.Additionally, StartURL and ClosureURL features can be used to provide restricted access to server.A8 - Cross Site Request ForgeryA CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s sessioncookie and any other automatically included authentication information, to a vulnerable web application. Thisallows the attacker to force the victim’s browser to generate requests, which the vulnerable application thinksare legitimate requests from the victim.NetScaler Protections●●●CSRF Tagging: This adds a unique token to each form sent to a user and validates the token onsubsequent submissions.Referrer headers can be validated to ensure that the requests were generated from within the site.Referrer header check in coordination with URL Closure feature can prevent CSRF.A9 - Using Components with Known VulnerabilitiesComponents such as libraries, frameworks, and other software modules, almost always run with full privileges.If a vulnerable component is exploited, then such an attack can facilitate serious data loss or server takeover.Applications using components with known vulnerabilities might undermine application defenses and enable arange of possible attacks and impacts.NetScaler Protections●●●●Citrix recommends to have the third party components up to date.Vulnerability scan reports that are converted to NetScaler Signatures can be used to virtually patchthese components.Application Firewall templates that are available for these vulnerable components can be used.Custom Signatures can be bound with firewall to protect these components.Page 5

A10 - Unvalidated Redirects and ForwardsWeb applications frequently redirect and forward users to other pages and web sites, and use untrusted datato determine the destination pages. Without proper validation, attackers can redirect victims to phishing ormalware sites, or use forwards to access unauthorized pages.NetScaler ProtectionsOn all incoming requests do,●●●Field format protection: Specify that the parameter containing the URL for redirection or forward isrestricted to valid allowed domains.Referrer header check: To reduce phishing attacks, validate the referrer header on incoming requests.Use AAA authorization policies to ensure that access to specific URLs is authorized.On the Redirect responses,●●Use Responder policies to ensure that 302 redirects are allowed to valid domains only.Use URL transform or rewrite policies to transform all 302 redirects to specific allowed domains.For More InformationDownload and try the Application Firewall in NetScaler VPX virtual appliance with a free 90-dayPlatinum Edition evaluation license today at http://www.citrix.com/netscalervpx.NetScaler Product documentation can be found at http://support.citrix.com/product/nsad/v10.1.Follow us on twitter at http://twitter.com/netscaler and join the Citrix community athttp://community.citrix.com.About CitrixCitrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, easilyand securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing,Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.Copyright © 2013 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, Citrix NetScaler, and other Citrix product names aretrademarks of Citrix Systems, Inc. All other product names, company names, marks, logos, and symbols are trademarks of theirrespective owners.Page 6