Security – AppDelivery

Protecting against HTTP Request Smuggling – Citrix NetScaler ADC

On 30. September 202030. September 2020 By admin Posted in ADC, NetScaler, Web SecurityTagged , ADC SecurityLeave a comment

This post describes a brief summary on this subject together with recent tests I did conduct against Citrix ADC/NetScaler in a Lab environment. This post will not show intensive testing or demonstrating offensive techniques mentioned here, though this could perhaps appear in a future post on my other blog https://offsec.vchur.dk […]

Tunneling application layer traffic through SSH – a method to bypass network restrictions

On 2. March 20184. March 2018 By admin Posted in PenTestTagged , Security SSHLeave a comment

The purpose of this blog post is to provide information on how and when to use SSH Tunneling and finally a few notes on how to audit and prevent SSH tunneling. I am often testing solutions in a hybrid lab. Having both some public cloud services and my on-prem lab […]

Scan and Analyze TLS/SSL with CipherScan

On 23. December 201717. February 2018 By admin Posted in TroubleshootingTagged , Security TLS/SSLLeave a comment

A simple method to figure out which SSL/TLS Ciphersuites are supported by a target, and how these are prioritized. CipherScan can be used to assist to verify a good SSL/TLS configuration on your server.

./cipherscan.py test.site.com

1	./cipherscan.py test.site.com

./analyze.py -t test.site.com

1	./analyze.py -t test.site.com

Download https://github.com/mozilla/cipherscan Install git clone https://github.com/mozilla/cipherscan.git Pre-reqs Python […]

Load Testing HTTP with Locust

On 18. September 201717. February 2018 By admin Posted in TroubleshootingTagged , LoadTest SecurityLeave a comment

In this blog post I will share some examples of basic load testing against web services. I will describe a few examples which easily can be configured to match additional needs and requirements. Locust is an open source load testing tool, it is fairly simple to setup and run basic […]

Analyzing and Testing Web Application Security based on OWASP Top 10 – SQLi and XSS

On 11. July 201711. July 2017 By admin Posted in PenTestTagged , PenTest SecurityLeave a comment

Introduction This post describes some methods and techniques that we can use to verify and analyze security in a web application by assessing the SSL and HTTP traffic.We will focus on how to verify SSL Protocols and Ciphers, HTTP Response Headers and scanning for SQLi and XSS vulnerabilities. These methods […]

NetScaler Security – Layer 4-7 DDoS Protection

On 23. June 201723. June 2017 By admin Posted in NetScalerTagged , DDoS SecurityLeave a comment

NetScaler protects against Layer 4 SYN Flood attacks, by utilizing a SYN Cookie, NetScaler ensures that memory is first allocated to a TCP Session when TCP 3-way handshake is completed. Furthermore, Application Firewall and Rate Limiting could be implemented to mitigate both L4 and L7 attack. This article will focus […]

NetScaler Security – HTTP Headers

On 23. June 201723. June 2017 By admin Posted in NetScalerTagged , NetScaler SecurityLeave a comment

These steps should be carried out to raise the security level in HTTP Header security for a given web application controlled by NetScaler. We will be utilizing NetScaler AppExpert and Rewrite engine to meet the objectives.Note. Always implement in a test environment, to verify the impact of this change before […]

NetScaler Security – Protecting against malicious attacks

On 22. June 201724. June 2017 By admin Posted in NetScalerTagged , DDoS SecurityLeave a comment

So in this blog post we are going to look into what options exist in order to protect against malicious attackers, DDoS attacks etc. in an environment with NetScaler Application Delivery Controller as a front-end for business web applications.Furthermore we will look into additional steps to tighten and optimize security […]