Buffer overflow check 编辑

The Buffer Overflow check detects attempts to cause a buffer overflow on the web server. If the Web App Firewall detects that the URL, cookies, or header are longer than the configured length, it blocks the request because it can cause a buffer overflow.

The Buffer Overflow check prevents attacks against insecure operating-system or web-server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle. Proper programming techniques prevent buffer overflows by checking incoming data and either rejecting or truncating overlong strings. Many programs, however, do not check all incoming data and are therefore vulnerable to buffer overflows. This issue especially affects older versions of web-server software and operating systems, many of which are still in use.

The Buffer Overflow security check allows you to configure the Block, Log, and Stats actions. In addition, you can also configure the following parameters:

• Maximum URL Length. The maximum length the Web App Firewall allows in a requested URL. Requests with longer URLs are blocked. Possible Values: 0–65535. Default: 1024
• Maximum Cookie Length. The maximum length the Web App Firewall allows for all cookies in a request. Requests with longer cookies trigger the violations. Possible Values: 0–65535. Default: 4096
• Maximum Header Length. The maximum length the Web App Firewall allows for HTTP headers. Requests with longer headers are blocked. Possible Values: 0–65535. Default: 4096
• Query string length. Maximum length allowed for query string in an incoming request. Requests with longer queries are blocked. Possible Values: 0–65535. Default: 1024
• Total request length. Maximum request length allowed for an incoming request. Requests with longer length are blocked. Possible Values: 0–65535. Default: 24820

Using the command line to configure the Buffer Overflow security check

To configure Buffer Overflow security check actions and other parameters by using the command line

At the command prompt, type:

add appfw profile <name> -bufferOverflowMaxURLLength <positive_integer> -bufferOverflowMaxHeaderLength <positive_integer> - bufferOverflowMaxCookieLength <positive_integer> -bufferOverflowMaxQueryLength <positive_integer> -bufferOverflowMaxTotalHeaderLength <positive_integer>

Example:

add appfw profile profile1 –bufferOverflowMaxURLLength 7000 –bufferOverflowMaxHeaderLength 7250 – bufferOverflowMaxCookieLength 7100 –bufferOverflowMaxQueryLength 7300 –bufferOverflowMaxTotalHeaderLength 7300

Configure buffer overflow security check by using the Citrix ADC GUI

1. Navigate to Security > Web App Firewall and Profiles.
2. On the Profiles page, select a profile and click Edit.
3. On the Citrix Web App Firewall Profile page, go to Advanced Settings section and click Security Checks.
4. In Security Checks section, select Buffer Overflow and click Action Settings.
5. In the Buffer Overflow Settings page, set the following parameters. a. Actions. Select one or more actions to perform for command injection security check. b. Maximum URL Length. Maximum length, in characters, for URLs on your protected websites. Requests with longer URLs are blocked. c. Maximum Cookie Length. Maximum length, in characters, for cookies sent to your protected websites. Requests with longer cookies are blocked. d. Maximum Header Length. Maximum length, in characters, for HTTP headers in requests sent to your protected websites. Requests with longer headers are blocked. e. Maximum Query Length. Maximum length, in bytes, for query string sent to your protected websites. Requests with longer query strings are blocked. f. Maximum Total Header Length. Maximum length, in bytes, for the total HTTP header length in requests sent to your protected websites. The minimum value of this and maxHeaderLen in httpProfile will be used. Requests with longer length are blocked.

6. Click OK and Close.

   

Using the Log Feature with the Buffer Overflow Security Check

When the log action is enabled, the Buffer Overflow security check violations are logged in the audit log as APPFW_BUFFEROVERFLOW_URL, APPFW_BUFFEROVERFLOW_COOKIE, and APPFW_BUFFEROVERFLOW_HDR violations. The Web App Firewall supports both Native and CEF log formats. You can also send the logs to a remote syslog server.

If you use the GUI to review the logs, you can use the click-to-deploy feature to apply relaxations indicated by the logs.

To access the log messages by using the command line

Switch to the shell and tail the ns.logs in the /var/log/ folder to access the log messages pertaining to the Buffer overflow violations:

> **Shell**
> **tail -f /var/log/ns.log | grep APPFW_BUFFEROVERFLOW**
<!--NeedCopy-->