Citrix Web Application Firewall (WAF)

Today one Customer asked me about the difference between logic positive and logic negative.
First I’ll describe what is Citrix Web Application Firewall.

Citrix Web App Firewall keeps them secure by protecting against both known and unknown application attacks and providing insights for faster remediation. NetScaler AppFirewall threat protection includes SQL injection attacks, cross-site scripting attacks, cookie tampering, form validation and protection, HTTP and XML reply and request format validation, JSON payload inspection, signature and behavior-based protections, data loss prevention (DLP) support, DoS protection, authentication, authorization and auditing support and reporting, and policy tools that provide for easier PCI-DSS compliance verification.

The Top 10 OWASP vulnerabilities in 2020 are:

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access control
  • Security misconfigurations
  • Cross Site Scripting (XSS)
  • Insecure Deserialization
  • Using Components with known vulnerabilities
  • Insufficient logging and monitoring

More Details can be found on

The differences between Negative and Positive


A positive security model operates on the principle that everything is blocked, and only traffic identified as good is allowed to pass. Good traffic is defined by rules; everything else is blocked by default.  It protects against: Buffer Overflow, CGI-BIN Parameter Manipulation, Form/Hidden Field Manipulation, Forceful Browsing, Cookie or Session Poisoning, Broken ACLs, Cross-Site Scripting (XSS), Command Injection, SQL Injection, Error Triggering Sensitive Information Leak, Insecure Use of Cryptography, Server Misconfiguration, Back Doors and Debug Options, Rate-Based Policy Enforcement, Well Known Platform Vulnerabilities, Zero-Day Exploits, Cross-Site Request Forgery (CSRF), and leakage of Credit Card and other sensitive data.


A negative security model operates on a principle where everything is allowed except for what is explicitly blocked. The negative security model uses rich set signatures to protect against L7 and HTTP application vulnerabilities. The built-in XSLT files allow easy importation of rules, which can be used in conjunction with the native-format Snort based rules. An auto-update feature gets the latest updates for new vulnerabilities.

In this post, I just made a summary about WAF. For more details:

In the next post, I’ll build on the lab with WAF and some apps.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: