Citrix Application Firewall™ employs a positive security model to protect against attacks exploiting any one of the 16 classes of application vulnerabilities. Without complete, 16-out-of-16-protection, applications are exposed to unnecessary risks.

1. Buffer overflow exploits – A common type of input validation attack that overflows a buffer with excessive data. Successfully executed, the hacker can run a remote shell on the machine and gain the same system privileges granted to the application being attacked.
2. CGI-BIN parameter manipulation – An input validation attack that illegally modifies data that is passed to a server-side script. Without proper validation of query parameters passed to CGI scripts, a hacker can gain unauthorized system privileges allowing him to modify files, run commands and execute other operations.
3. Form/hidden field manipulation – Modifying the contents of a hidden field in an attempt to trick the application into accepting invalid data.
4. Forceful browsing – Access of unauthorized and unadvertised URLs to gain access to the root directory of a Web server, or other areas that should be off limits.
5. Cookie/session poisoning – Reverse engineering weak cookies to steal a user’s session or impersonate a legitimate user of an application.
6. Broken ACLs/weak passwords – Circumventing an application’s access control system by requesting resources for which the user should not have access.
7. Cross-site scripting (XSS) – Attacking the trust relationship between a user and a Web application. Tricking the user or the user’s browser into sending an attacker confidential information that can be used to steal that user’s identity.
8. Command injection – Inserting system commands in program variables like form fields that get inadvertently executed on the server.
9. SQL injection – An input validation attack that sends SQL commands to Web applications, which are then passed to a back-end database. Successfully executed, the hacker can gain access to a sensitive information store.
10. Error triggering sensitive information leaks – Feeding malformed, illegitimate data to an application with the goal of generating errors and gaining sensitive information about the application environment.
11. Insecure use of crypto – Exploiting an application’s use of a weak cryptographic algorithm in digitally signing cookies.
12. Server misconfiguration – Exploiting server misconfigurations, including the failure to fully lock down or harden the Web server, disable default accounts and services or remove unnecessary functionality.
13. Back doors and debug options – Exploiting application back doors or debug code on production systems.
14. Web site defacement – Malicious modification of Web pages.
15. Well-known platform vulnerabilities – Exploiting unpatched vulnerabilities of Web servers or operating systems to gain unauthorized access to an application.
16. Zero-day exploits – A vulnerability that is exploited before it is announced publicly and before vendor-developed patches, signatures or other fixes are available.