Citrix Systems 9.2 manual Application Firewall Policy to Protect Scripted Web Pages

9.Globally bind your new policy to put it into effect.

Since you want to ensure that this policy will match all connections to the shopping cart, and not be preempted by another more general policy, you should assign a high priority to it. If you assign one (1) as the priority, no other policy can preempt this one.

Application Firewall Policy to Protect Scripted Web Pages

Web pages with embedded scripts, especially legacy Javascripts, often violate the “same origin rule,” which does not allow scripts to access or modify content on any server but the server where they are located. This security vulnerability is called cross-site scripting. The Application Firewall Cross-Site Scripting rule normally filters out requests that contain cross-site scripting.

Unfortunately, this can cause Web pages with older Javascripts to stop functioning, even when your system administrator has checked those scripts and knows that they are safe. The example below explains how to configure the Application Firewall to allow cross-site scripting in Web pages from trusted sources without disabling this important filter for the rest of your Web sites.

To protect Web pages with cross-site scripting by using the NetScaler command line

1.At the NetScaler command line, to create an advanced profile, type:

add appfw profile pr_xssokay -defaults advanced

2.To configure the profile, type:

set appfw profile pr_xssokay -startURLAction NONE -startURLClosure OFF

-cookieConsistencyAction LEARN LOG STATS -fieldConsistencyAction LEARN LOG STATS -crossSiteScriptingAction LEARN LOG STATS$"

3.Create a policy that detects connections to your scripted Web pages and applies the pr_xssokay profile, type:

add appfw policy pol_xssokay "REQ.HTTP.HEADER URL CONTAINS ^\.pl\?$ REQ.HTTP.HEADER URL CONTAINS ^\.js$" pr_xssokay

4.Globally bind the policy.