Recently a friend asked a question: How is it possible to bypass a responder policy. They knew it happened, but they could not reproduce.

HTML- Encoding

HTML Encoding is a stupid trick, used by hackers ever since. Any character may get encoded using a encoding table. So instead of using https://192.168.200.10/images/Berners-Lee,jpg you might use something like https://192.168.200.120/%69%6d%61%67%65%73%2fBerners-Lee,jpg.

This is strictly following standards. No one does, as it is huge overhead, but the web server would understand for sure. Unfortunately, responder policies don’t.

---

The Citrix ADC solution

The problem mentioned above does not apply to Citrix WAF, as the web application firewall, built into Citrix ADC’s premium edition (formerly NetScaler Platinum edition) decodes URLs.

It’s easy to protect an URL like https://192.168.200.120/images/Berners-Lee,jpg using reponder policies. It would look like:

add responder policy res_pol_protect_apples "HTTP.REQ.URL.EQ(\"/images/Berners-Lee,jpg\")" DROP

In case of IIS (IIS is not case sensitive) it has to look like that:

add responder policy res_pol_protect_apples "HTTP.REQ.URL.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/images/Berners-Lee,jpg\")" DROP

This drops “legitimate” requests to this URL. But encoded requests will pass through easily. So we have to decode first.

add responder policy res_pol_protect_apples "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).DECODE_USING_TEXT_MODE.EQ(\"/images/Berners-Lee,jpg\")" DROP

This policy even blocks https://192.168.200.10/%69%6d%61%67%65%73%2fBerners-Lee,jpg.

For some reason I dodn’t understand, this policy does not block non-encoded URLs, so the final policy has to look like that:

add responder policy res_pol_protect_apples "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).DECODE_USING_TEXT_MODE.EQ(\"/images/Berners-Lee,jpg\") || HTTP.REQ.URL.URL.SET_TEXT_MODE(IGNORECASE).EQ("/images/Berners-Lee,jpg\")" DROP

---

I hope, this helps. Drop me a message, if you run into trouble!