GeorgeD Posted January 28 Share Posted January 28 Is anyone else having trouble with password sprays against their netscaler aaa vserver? we have a nfactor flow for ldap and mfa. we recently tested out bot management, but apparently that doesn't cover the AAA vserver. i found that a simple powershell web request to Invoke-WebRequest -Uri https://yourDomain.com/nf/auth/doAuthentication.do -Body "login=myUserName&passwd=fdsfdfdfd&saveCredentials=false&loginBtn=Log+On&StateContext=bG9naW5zY2hlbWE9" -Method Post -ContentType "application/x-www-form-urlencoded" could easily lock out accounts on our system, we setup ldap filters etc, but still haven't found a great solution for slow password sprays rolling across multiple IPs. any help here would be greatly appreciated. we got a few suggestions from citrix and consultants to move the mfa factor up in nfactor flow. but that would likely be more annoying to users to have the pop up appear on their phones. i also haven't tested it but i'm not sure if the url above aaa vserver even considers nfactor flow, which means that anything nfactor related wouldnt solve for this. Link to comment Share on other sites More sharing options...
Emil Pandocchi Posted February 1 Share Posted February 1 On 1/28/2024 at 8:01 PM, George David1709152738 said: we recently tested out bot management, but apparently that doesn't cover the AAA vserver. Can you elaborate on this? BOT Management should analyze things like the User-Agent Header in requests and if globally bounded it should work for every Web-Based vServer Link to comment Share on other sites More sharing options...
GeorgeD Posted February 1 Author Share Posted February 1 according to citrix support because AAA Parsing happens before the Bot Management and any other feature, the AAA Vserver is not protected by any of those modules https://docs.netscaler.com/en-us/citrix-adc/13-1/getting-started-with-citrix-adc.html#packet-flow Link to comment Share on other sites More sharing options...
GeorgeD Posted February 6 Author Share Posted February 6 i've tested with a few different loginschema options. i can't get the direct script post to /nf/auth/doAuthentication.do to be protected. it looks like most of the protections are within the pages logic, not against "/nf/auth/doAuthentication.do", so regardless it will be easy for any script to use this public endpoint and just attempt a username / password. my last test was using the default user/password/checkbox option on the netscaler. right now citrix support is saying that only an ACL will protect against this, but still trying to find more information Link to comment Share on other sites More sharing options...
GeorgeD Posted April 10 Author Share Posted April 10 (edited) @Hemang Raval saw your recent demo tomorrow about netscaler gateway server security. have a scenario here that could use some attention. I've filed a case with the citrix PSIRT team and waiting on an answer regarding the gap in nfactor here. Edited April 10 by GeorgeD Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted April 15 Share Posted April 15 Yes, i am currently looking into implementing a similar feature that you are describing, and i dont think it will be possible before the next release of NetScaler (14.1 21.x and 13.1 52.x) as they will contain a WAF module that's loaded BEFORE aaa vServer. but since the new protection is happening in WAF, you properly need premium license, and the creativity also needs to be flexed to create proper policies. We will see when the new release hits the street. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now