Protecting against HTTP Request Smuggling – Citrix NetScaler ADC

This post describes a brief summary on this subject together with recent tests I did conduct against Citrix ADC/NetScaler in a Lab environment. This post will not show intensive testing or demonstrating offensive techniques mentioned here, though this could perhaps appear in a future post on my other blog https://offsec.vchur.dk

HTTP Request Smuggling – a few words

HTTP Request Smuggling allows an attacker to smuggle malicious HTTP Requests and cause HTTP Desync attacks between a Reverse Proxy / Load Balancer and a backend Web Server. This could potentially allow for multiple attack vectors as injecting requests that hits legit users enabling account takeovers via XSS and Cookie stealing, redirecting users to controlled phishing sites, requests resources on backend URL endpoints which are not Public exposed, but behind a corporate Firewall.

HTTP Request Smuggling happens when a Reverse Proxy and backend webserver does not follow and comply with RFC7230 (HTTP 1.1). Basically allowing malformed HTTP 1.1 Requests to be passed through the Proxy, where parts of the HTTP Request will be interpreted by Proxy and other part of same HTTP Request message will be parsed and interpreted by backend web server.

Basically following conditions needs to be true for a successful attack:

  • Multiplexing needs to be in place. (Common in Reverse Proxies / Load Balancers)
  • Proxy and Backend Server needs to interpret HTTP Requests differently, e.g. Content-Lenght typically interepreted on Proxy and Transfer-Encoding at web server.
  • Not complying with RFC 7230 HTTP 1.1 rules.

Citrix ADC – NetScaler – My observations and initial testing

Citrix NetScaler ADC – September 2020 Firmware Release did indeed change how HTTP 1.1 in a default configuration is followed / behaving.

Prior to latest build 12.1 build 59.16 it was possible in a default configuration to carry out a HTTP Request Smuggling technique – but from september 2020 release it clearly showed that Citrix ADC now had more strict default RFC7230 policies enabled, and now rejected the malformed HTTP request with a 400 HTTP Response Code.

Test on 12.1 build 57.18 – Juni 2020 Release:

HTTP Malformed Header results in HTTP 200 OK.

Test on 12.1 build 59.16 – September 2020 Release:

HTTP – wrong content length – malformed results in HTTP 400

From a Client perspective – smuggled request returned to client

Test on 12.1 build 57.18 – Juni 2020 Release:

From a Reverse Proxy / ADC Perspective – internal /admin endpoint smuggled

Above is subject to change and this blog post will be updated as tests will continue….

Leave a Reply