GeorgeD

@Hemang Raval saw your recent demo tomorrow about netscaler gateway server security. have a scenario here that could use some attention. I've filed a case with the citrix PSIRT team and waiting on an answer regarding the gap in nfactor here.

Is anyone else having trouble with password sprays against their netscaler aaa vserver? we have a nfactor flow for ldap and mfa. we recently tested out bot management, but apparently that doesn't cover the AAA vserver. i found that a simple powershell web request to Invoke-WebRequest -Uri https://yourDomain.com/nf/auth/doAuthentication.do -Body "login=myUserName&passwd=fdsfdfdfd&saveCredentials=false&loginBtn=Log+On&StateContext=bG9naW5zY2hlbWE9" -Method Post -ContentType "application/x-www-form-urlencoded" could easily lock out accounts on our system, we setup ldap filters etc, but still haven't found a great solution for slow password sprays rolling across multiple IPs. any help here would be greatly appreciated. we got a few suggestions from citrix and consultants to move the mfa factor up in nfactor flow. but that would likely be more annoying to users to have the pop up appear on their phones. i also haven't tested it but i'm not sure if the url above aaa vserver even considers nfactor flow, which means that anything nfactor related wouldnt solve for this.