Jump to content
Welcome to our new Citrix community!

Netscaler Citrix Gateway / AAA vserver Password Spray


Recommended Posts

Is anyone else having trouble with password sprays against their netscaler aaa vserver? 

we have a nfactor flow for ldap and mfa. we recently tested out bot management, but apparently that doesn't cover the AAA vserver. 


i found that a simple powershell web request to 

Invoke-WebRequest -Uri https://yourDomain.com/nf/auth/doAuthentication.do -Body "login=myUserName&passwd=fdsfdfdfd&saveCredentials=false&loginBtn=Log+On&StateContext=bG9naW5zY2hlbWE9" -Method Post -ContentType "application/x-www-form-urlencoded"


could easily lock out accounts on our system, we setup ldap filters etc, but still haven't found a great solution for slow password sprays rolling across multiple IPs. 


any help here would be greatly appreciated. 

we got a few suggestions from citrix and consultants to move the mfa factor up in nfactor flow. but that would likely be more annoying to users to have the pop up appear on their phones.

i also haven't tested it but i'm not sure if the url above aaa vserver even considers nfactor flow, which means that anything nfactor related wouldnt solve for this. 


Link to comment
Share on other sites

On 1/28/2024 at 8:01 PM, George David1709152738 said:

we recently tested out bot management, but apparently that doesn't cover the AAA vserver. 

Can you elaborate on this? BOT Management should analyze things like the User-Agent Header in requests and if globally bounded it should work for every Web-Based vServer

Link to comment
Share on other sites

i've tested with a few different loginschema options. i can't get the direct script post to /nf/auth/doAuthentication.do to be protected. 

it looks like most of the protections are within the pages logic, not against "/nf/auth/doAuthentication.do", so regardless it will be easy for any script to use this public endpoint and just attempt a username / password. 


my last test was using the default user/password/checkbox option on the netscaler. 

right now citrix support is saying that only an ACL will protect against this, but still trying to find more information 

Link to comment
Share on other sites

  • 2 months later...
Posted (edited)

@Hemang Raval saw your recent demo tomorrow about netscaler gateway server security. have a scenario here that could use some attention. 

I've filed a case with the citrix PSIRT team and waiting on an answer regarding the gap in nfactor here. 

Edited by GeorgeD
Link to comment
Share on other sites

Yes, i am currently looking into implementing a similar feature that you are describing, and i dont think it will be possible before the next release of NetScaler (14.1 21.x and 13.1 52.x) as they will contain a WAF module that's loaded BEFORE aaa vServer.

but since the new protection is happening in WAF, you properly need premium license, and the creativity also needs to be flexed to create proper policies. We will see when the new release hits the street.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...