Citrix NetScaler HTTPS Redirect Cross-Site Scripting (XSS) Vulnerability Report
Executive Summary
This report outlines a detected vulnerability in Citrix NetScaler devices that are configured to perform HTTP to HTTPS redirects. Security scanners have identified these redirects as susceptible to Cross-Site Scripting (XSS) attacks due to the way NetScaler appends the path and query of the original request to the redirected URL.
Issue Overview
- Affected Products: Citrix ADC, Citrix Gateway
- Vulnerability: Potential for Cross-Site Scripting (XSS) through HTTP to HTTPS redirects
- Identification Date: February 6, 2014
- Last Modified: October 18, 2023
Vulnerability Details
The vulnerability arises when the NetScaler device is configured to redirect HTTP requests to HTTPS without specifying an absolute URL path. Security scanners have mistakenly flagged this behavior as an XSS vulnerability, particularly when redirect requests include potentially malicious input.
Symptoms or Error
NetScaler Virtual IP (VIP) configured for HTTP to HTTPS redirect is erroneously flagged as vulnerable to XSS attacks by security scanning tools.
Solution
To mitigate this issue, the recommendation is to modify the redirect URL to an absolute path by appending a “/” (forward slash) to the end of the base URL. This change clarifies the redirect intent and prevents the misinterpretation by security scanners.
Configuration Command Example:
sql
add lb vserver <VIP_IP>_https_redirect HTTP <VIP_IP> 80 -persistenceType NONE -redirectURL "https://vip.domain.com/" -cltTimeout 180 -downStateFlush DISABLED
Cause of the Problem
The vulnerability flagging occurs due to a misunderstanding by scanning tools, which interpret relative HTTP to HTTPS redirects as potentially exploitable for XSS attacks.
Example of Misinterpreted Request:
javascript
GET /null.htw?CiWebHitsFile=/<script>xss</script>.aspx&CiRestriction=none&CiHiliteType=Full HTTP/1.1
Conclusion
The identified vulnerability is a result of a misinterpretation rather than an actual security flaw within the Citrix NetScaler configuration. Adjusting the redirect to use an absolute URL path effectively addresses the concern raised by automated security scans. This action should resolve any false positive flags related to XSS vulnerabilities in the context of HTTP to HTTPS redirection on Citrix NetScaler devices.
