Protecting a URL using Citrix ADC responder policies


Recently a friend asked a question: How is it possible to bypass a responder policy. They knew it happened, but they could not reproduce.

HTML- Encoding

HTML Encoding is a stupid trick, used by hackers ever since. Any character may get encoded using a encoding table. So instead of using,jpg you might use something like,jpg.

This is strictly following standards. No one does, as it is huge overhead, but the web server would understand for sure. Unfortunately, responder policies don’t.

The Citrix ADC solution

The problem mentioned above does not apply to Citrix WAF, as the web application firewall, built into Citrix ADC’s premium edition (formerly NetScaler Platinum edition) decodes URLs.

It’s easy to protect an URL like,jpg using reponder policies. It would look like:

add responder policy res_pol_protect_apples "HTTP.REQ.URL.EQ(\"/images/Berners-Lee,jpg\")" DROP

In case of IIS (IIS is not case sensitive) it has to look like that:

add responder policy res_pol_protect_apples "HTTP.REQ.URL.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/images/Berners-Lee,jpg\")" DROP

This drops “legitimate” requests to this URL. But encoded requests will pass through easily. So we have to decode first.

add responder policy res_pol_protect_apples "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).DECODE_USING_TEXT_MODE.EQ(\"/images/Berners-Lee,jpg\")" DROP

This policy even blocks,jpg.

For some reason I dodn’t understand, this policy does not block non-encoded URLs, so the final policy has to look like that:

add responder policy res_pol_protect_apples "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).DECODE_USING_TEXT_MODE.EQ(\"/images/Berners-Lee,jpg\") || HTTP.REQ.URL.URL.SET_TEXT_MODE(IGNORECASE).EQ("/images/Berners-Lee,jpg\")" DROP

I hope, this helps. Drop me a message, if you run into trouble!

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (

Add comment

By Johannes Norz

Recent Posts

Recent Comments