Jump to content
Welcome to our new Citrix community!

How to log requests that would be dropped by "Drop invalid HTTP Requests"


Recommended Posts

For security reasons, I would like to activate "Drop invalid HTTP requests" in the nshttp_default_profile.

Because there are already several content switches and loadbalancing vservers configured on our appliance, I would like to log the affected requests.

Best option would be to log potentially dropped requests before activating the setting.

 

I tried a rewrite policy as well as a responder policy with "http.req.is_valid.not", bound them globally and then sent invalid requests. I know the requests are invalid, because when setting "drop invalid http requests", they are actually dropped.

But the hit counter of both policies does not count up.

 

Did I do something wrong? Is this the wrong approach? Any other ideas?

 

Thank!

Link to comment
Share on other sites

Hello,

 

it's a request generated with Burp Suite which is able to trigger a HTTP Request Smuggling attack.

Setting "Drop invalid HTTP Requests" prevents this attack, but my policies with "http.req.is_valid.not" are not triggered.

I think the main reason why the request is dropped is because of the content-length set in the header does noch match the real content length (what makes the attack possible)

Link to comment
Share on other sites

  • 1 month later...

Hi Nils

The profile is dropping invalid requests before they are processed by the responder engine. 
If you do the VIP (or CS) statistics you will find the counter of invalid requests dropped and the rate. 
For this reason the policy has no hits. 

image.png.8f851f2228f9c94c6193137cfbffeb65.png

Regarding Http smuggling, you can mediate this by applying the ns_http_default_strict_validation profile.
There is a citrix guide here:

https://support.citrix.com/article/CTX282268/citrix-adc-http-request-smuggling-reference-guide 

Link to comment
Share on other sites

Thinking about it
I don't know at what level of the flow the policies on SYSTEM GLOBAL intervene. But you can give it a try
You can try to configure a syslog policy with external server including the "Debug" level (I suggest putting "ALL") and binding the policy to SYSTEM GLOBAL

Doc:
https://support.citrix.com/article/CTX483235/send-logs-to-external-syslog-server

Then see in the logs that arrive if there are the details you are interested in

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...