Citrix Netscaler Web Application Firewall Bypass Vulnerability

I was able to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup that I used was like below.

  • An Apache web server with default configuration on Windows (XAMPP).
  • A SOAP web service which has written in PHP and vulnerable to SQL injection.
  • Netscaler WAF with SQL injection rules.

First request was a basic SQL injection payload which was ‘ union select current_user,2# and Netscaler blocked it.

The second request was sent with the same content and an additional HTTP
header which was “Content-Type: application/octet-stream”. It was
misinterpreted by the web server, although it bypassed the WAF. It was
useless, anyway.

The third request was sent with two additional HTTP headers which were
“Content-Type: application/octet-stream” and “Content-Type: text/xml” in
that order. The request was able to bypass the WAF and web server
correctly ran it.

Vendor Contact Progress:
02.02.2015 – Bug reported to the vendor.
04.02.2015 – Vendor returned with a case ID.
05.02.2015 – Detailed info/config given.
12.02.2015 – Asked about the case.
16.02.2015 – Vendor returned “investigating …”
06.03.2015 – Asked about the case.
06.03.2015 – Vendor has validated the issue.

12.03.2015 – There aren’t any fix addressing the issue.