This report outlines a detected vulnerability in Citrix NetScaler devices that are configured to perform HTTP to HTTPS redirects. Security scanners have identified these redirects as susceptible to Cross-Site Scripting (XSS) attacks due to the way NetScaler appends the path and query of the original request to the redirected URL.
The vulnerability arises when the NetScaler device is configured to redirect HTTP requests to HTTPS without specifying an absolute URL path. Security scanners have mistakenly flagged this behavior as an XSS vulnerability, particularly when redirect requests include potentially malicious input.
NetScaler Virtual IP (VIP) configured for HTTP to HTTPS redirect is erroneously flagged as vulnerable to XSS attacks by security scanning tools.
To mitigate this issue, the recommendation is to modify the redirect URL to an absolute path by appending a “/” (forward slash) to the end of the base URL. This change clarifies the redirect intent and prevents the misinterpretation by security scanners.
Configuration Command Example:
add lb vserver <VIP_IP>_https_redirect HTTP <VIP_IP> 80 -persistenceType NONE -redirectURL "https://vip.domain.com/" -cltTimeout 180 -downStateFlush DISABLED
The vulnerability flagging occurs due to a misunderstanding by scanning tools, which interpret relative HTTP to HTTPS redirects as potentially exploitable for XSS attacks.
Example of Misinterpreted Request:
GET /null.htw?CiWebHitsFile=/<script>xss</script>.aspx&CiRestriction=none&CiHiliteType=Full HTTP/1.1
The identified vulnerability is a result of a misinterpretation rather than an actual security flaw within the Citrix NetScaler configuration. Adjusting the redirect to use an absolute URL path effectively addresses the concern raised by automated security scans. This action should resolve any false positive flags related to XSS vulnerabilities in the context of HTTP to HTTPS redirection on Citrix NetScaler devices.