Jump to content
Welcome to our new Citrix community!

Citrix ADC 12.1: RDP Proxy: Rewrite / Responder Policy: Remove everything after questionmark in URL


Mark Nickolai 2

Recommended Posts

Hi,

 

in order to mitigate a potential attack vector, we would like to use a responder or rewrite policy / action to get rid of URLs containing question mark and the values after it.

 

https://rdp.example.com/rdpproxy/systemabc?test123 --> https://rdp.example.com/rdpproxy/systemabc

 

Do you have any hint how to do this?

 

I tried multiple ways, but seems like matching the ? is a real problem here

 

Cheers

Link to comment
Share on other sites

Feel free to share what you are doing.

 

A rewrite to replace would need a "target" and a "replacement value" for that position and would be something like this:

Target:

http.req.url.path_and_query

 

Replacement:

http.req.url.path

 

This should omit the "query portion including ?" without needing to parse it individually.

 

A responder to redirect would be something like:

Policy expression to trigger responder (or rewrite above):  http.req.url.query.exists  or http.req.url.query.length > 1 (or something; I'm freehanding so that might need an adjustment)

 

Reaponder Action:

Type:  Redirect

Expression (redirect destination):

"https://" + http.req.header("host") + http.req.url.path

 

Link to comment
Share on other sites

Hi,

the background:
it is possible by adding a query after a rdp proxy url which would download the rdp file, the query got written right to the *.rdp file as a parameter.

Therefore I want to strip the query either from the called URL or Drop the request itself.

I added now the following:

Rewrite Policy expression: True

Rewrite Action:
 

Target:

http.req.url.path_and_query

 

Replacement:

http.req.url.path

I applied it as Request policy to the Citrix Gateway VS which has the RDP Proxy configuration,

I hoped it would strip the query from the URL, before the Gateway does something with the query.

Unfortunately this is not the case. 

In the rdp file the called url https://rdp.example.com/rdpproxy/systemabc?test123 keeps adding "test123" as a line.


 

Edited by Mark Nickolai
Link to comment
Share on other sites

Rewrite might be running late in the Gateway flow.  But the rewrite if applied to the vpn vserver may not apply to content accessed via the vpn vserver.

If the rdp was on its own vserver, you might see this work.

 

I also don't think clientless rewrite policies apply in this case.

 

Would have to see if anyone else has an idea on that.

 

Edited by Rhonda Rowland
fixed typo
Link to comment
Share on other sites

I found a method that is not that elegant, so maybe (hopefully!) someone will come up with a better way.

Nevertheless, if someone else is looking for a dirty method:

Bind the rdp proxy to a content switch using the content switch action tied to a content switch policy (requires one contentswitch per rdp proxy).

Add in the policy something like: 

HTTP.REQ.HOSTNAME.EQ("rdp.example.com") && HTTP.REQ.URL.QUERY.LENGTH.EQ(0)


This will lead to Http/1.1 Service Unavailable if a query is used, else it will work properly.
 

Cheers

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...