In Netscaler ADC VPX 12, we have a serious problem due to a responder policy that does not work in a certain case.
This is the scenario:
After a http to to https redirection (following https://support.citrix.com/article/CTX120664) the request is redirect to a virtual server (VIP_www.XXX.it_28.21:443).
4 responder policies are binded to virtual server VIP_www.XXX.it_28.21:443, all with action = DROP and GOTO Expression = END and an appfw policy is binded too.
The first responder policy is IP reputation policy (Expression = CLIENT.IP.SRC.IPREP_IS_MALICIOUS).
The second one blocks the access to administrative paths to all the ip except 3 specific ones. The expression is:
(HTTP.REQ.HOSTNAME.EQ("www.XXX.it") || HTTP.REQ.HOSTNAME.EQ("yy.zzz.dd.hh")) && (HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/dentroilpalazzo") || HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/wp-admin")) && CLIENT.IP.SRC.EQ(ip1).NOT && CLIENT.IP.SRC.EQ(ip2).NOT && client.IP.SRC.EQ(ip3).NOT
where:
www.XXX.it is the FQDN
yy.zzz.dd.hh is public IP
ip1,ip2, ip3 are the ip enabled
In log (ns.log) we find a message of violation of the HTML Cross Site Scripting in correspondence of this url (related to appfw policy), therefore the second responder policy
was not hit.
Why? Are responder policies not evaluated before the appfw policy?
Question
Cristina Marletta Livi
In Netscaler ADC VPX 12, we have a serious problem due to a responder policy that does not work in a certain case.
This is the scenario:
After a http to to https redirection (following https://support.citrix.com/article/CTX120664) the request is redirect to a virtual server (VIP_www.XXX.it_28.21:443).
4 responder policies are binded to virtual server VIP_www.XXX.it_28.21:443, all with action = DROP and GOTO Expression = END and an appfw policy is binded too.
The first responder policy is IP reputation policy (Expression = CLIENT.IP.SRC.IPREP_IS_MALICIOUS).
The second one blocks the access to administrative paths to all the ip except 3 specific ones. The expression is:
(HTTP.REQ.HOSTNAME.EQ("www.XXX.it") || HTTP.REQ.HOSTNAME.EQ("yy.zzz.dd.hh")) && (HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/dentroilpalazzo") || HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH("/wp-admin")) && CLIENT.IP.SRC.EQ(ip1).NOT && CLIENT.IP.SRC.EQ(ip2).NOT && client.IP.SRC.EQ(ip3).NOT
where:
www.XXX.it is the FQDN
yy.zzz.dd.hh is public IP
ip1,ip2, ip3 are the ip enabled
A hacker has bypassed the second responder policy check, calling:
https://www.XXX.it/wp-admin/admin-post.php?page=yuzo-related-post
In log (ns.log) we find a message of violation of the HTML Cross Site Scripting in correspondence of this url (related to appfw policy), therefore the second responder policy
was not hit.
Why? Are responder policies not evaluated before the appfw policy?
Regards,
Cristina
Link to comment
29 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now