NetScaler Application Firewall
Self-Paced Online Lab Exercise Guide
November 2013
Page 1
Table of Contents
Table of Contents .............................................................................................................................................. 2
Overview............................................................................................................................................................. 2
Exercise 1: Configure a Vserver and Service on the NetScaler Appliance. .............................................. 6
Exercise 2: Configure Application Firewall protection using the wizard + signatures ......................... 12
Exercise 3: Configuring Application Firewall profiles and policies ......................................................... 21
Exercise 4: Error Pages & Start URLs ......................................................................................................... 27
Exercise 5: SQL Injection .............................................................................................................................. 35
Exercise 6: Stored Cross Site Scripting ........................................................................................................ 39
Exercise 7: Cenzic and Qualys Integration .................................................................................................. 43
Exercise 8: Form Field Consistency ............................................................................................................. 46
Exercise 9: Cookie Protection / Proxying ................................................................................................... 53
Exercise 10: Learning...................................................................................................................................... 57
Exercise 11: HTML Comment Stripping .................................................................................................... 60
Overview
Hands-on Training Module
This training module has the following details:
Objective

This lab provides hands-on training of the Application Firewall
feature on the NetScaler appliance.
Audience

Primary: Partners and customers
Lab Environment Details
Page 2
Machine
XenServer
Site2-AD.training2.lab
Site2-NetScaler_AppFW
Site2-WebGoat
Site2-Win7Client
Details
Hosts virtual machines
Active Directory Server for the training2.lab domain
NetScaler appliance used for the Application Firewall exercises
Tomcat server running a demo web application
Windows workstation
IP Address
192.168.20.11
192.168.20.50
192.168.20.20
192.168.20.201
Other IPs used in the Lab
IP Address
192.168.20.60
192.168.20.150
Purpose
Subnet IP (SNIP) for the NetScaler
Virtual IP (VIP) for the WebGoat Virtual Server
Lab Topology Diagram
NOTE: If prompted with a dialog to restart on any virtual machine, always select Restart Later.
Required Lab Credentials
Below are the login credentials required to connect to the workshop system and complete the lab
exercises.
Page 3
Machine
Site2-AD.training2.lab
Site2-NetScaler_AppFW
Site2-WebGoat
Site2-Win7Client
Username
Training2\Administrator
nsroot
Training2\Administrator
Training2\Administrator
Password
Citrix123
nsroot
Citrix123
Citrix123
How to log into the lab environment
The self-paced lab environment is hosted on a cloud-based Citrix XenServer. Connecting to your server
from the portal page is as easy as 1-2-3.
Step-by-step login instructions
Step
1.
Action
Once logged in at the self-paced portal, click the Start lab button to launch a connection to
published XenCenter.
2.
When XenCenter loads, right-click the XenCenter node and select Add…
3.
On the Add New Server screen enter the XenServer IP address provided on the portal
and in the Password field enter the password provided on the portal. The user name will
always be root.
Page 4
Page 5
Exercise 1: Configure a Vserver and Service
on the NetScaler Appliance.
Overview
We are going to run a vulnerable web application designed to demonstrate different flaws that can occur in
web design and implementation. This will be the web server. In this exercise, we will configure Virtual
Servers and Virtual IPs so that the appliance can receive HTTP requests on port 80, and forward them on
to the vulnerable web server.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1.
Firstly, we will turn on our vulnerable web application. If you are using full screen on your
Site2-Win7Client VM, press CTRL-Enter to exit.
2.
Select the Site2-WebGoat VM in XenCenter, and choose the Console tab.
NOTE: For better performance, switch to a Remote Desktop connection.
Page 6
Step
3.
Action
Login with the following credentials:
training2\administrator – Citrix123
4.
Launch WebGoat (vulnerable web-application) by clicking on the StartWebGoat shortcut
located on the Desktop:
Page 7
Step
5.
Action
The rest of the lab will use the Site2-Win7Client VM. From this machine, we will complete
the necessary NetScaler configuration as well as perform the attacks.
In XenCenter, switch to this VM and select the console tab.
6.
NOTE: Remember to switch to a Remote Desktop connection for better performance.
Open Internet Explorer and log into the NetScaler configuration utility.
http://192.168.20.50
Username: nsroot
Password: nsroot
Expand the load balancing node:
Page 8
Step
7.
Action
Click on Virtual Servers and click the Add button.
8.
On the Services Tab click the Add button, ensure HTTP is selected, and enter the service
name (webgoat-svc), port 80, and enter the following IP address in the server field:
192.168.20.20. Click Create.
9.
You have just created a service ‘on the fly’. It should be listed as UP in the Create Virtual
Server window: Enter a name for the virtual server (e.g.: webgoat-vserver) and set the IP
address to 192.168.20.150:
Page 9
Step
10.
11.
12.
Action
Click Create and Close. You should see the virtual server listed and in an UP state:
If the virtual server is not UP, revise your settings.
Open Firefox, and enter the following URL:
http://192.168.20.150/WebGoat/attack ( Note the upper case letters in WebGoat )
You should be prompted to enter credentials. Use webgoat/webgoat for username and
password respectively to access the application.
Page 10
Step
13.
14.
Action
The Application should look like this when you log in. Click the Start to reach the main
menu.
Please SHUT DOWN Firefox, as we will need to initiate a new session later.
Summary
Key
Takeaways
The key takeaways for this exercise are:

Starting our vulnerable application which we will use to demonstrate the
protection features of the NetScaler Application Firewall.

How to create a Virtual Server and Service on the appliance. This virtual
server entity will listen for traffic, and pass it through to the web server.
NOTES
Page 11
Exercise 2: Configure Application Firewall
protection using the wizard + signatures
Overview
In this exercise you will use the Application Firewall wizard to demonstrate how easy and quickly you can
protect your web application from known attacks.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step Action
1.
Navigate in the Configuration Utility to the Application Firewall node, right-click the
yellow circle, and choose Enable Feature.
2.
Ensuring that you have selected the Application Firewall node on the left hand side, you
should be able to see the Application Firewall Wizard in the right hand window pane as
shown below. Start the wizard…
3.
Read through the intro text and click Next.
Page 12
Step
4.
Action
Give your configuration a name – e.g. Wizard-Profile, and click Next.
5.
Delete the word true and click the Add
button to create an expression. This
expression will determine the
interesting traffic that flows through the
Application Firewall module in order to
apply the correct rules.
6.
In the expression field, enter CLIENT.IP.DST.EQ(192.168.20.150) to signify the VIP as
the destination IP:
Click OK and click Next.
Page 13
Step
7.
Action
Now you need to choose what technologies you are running on your web server. In our
example, we will select IIS and PHP and click Next.
NOTE: In a real life scenario this is where one requires some basic knowledge of the
application you are protecting and web architecture hosting it.
Page 14
Step
8.
Action
You will notice that there are 147 PHP signatures pre-loaded on the appliance. There are
139 Microsoft IIS signatures. These are imported from Snort (a network intrusion detection
system for UNIX and Windows) and loaded onto the appliance by default.
At this point, we can choose to block all attacks part of the signature or select the ones we
are interested in. In this example, we will specify granular control of the attacks and policies
to block, click on More for PHP signatures.
9.
Select Block for the WEB-PHP admin.php access signature. If you can find it easily,
look at the Source-ID.
Page 15
Step
10.
Action
If you click on the >> at the end of the signature, you will see links to the BugTraq and
CVE entries which describe the vulnerability.
Click Close to return to the Vulnerability List window.
11.
To commit the protection selected, click OK at the bottom of the Configure Actions for
Signatures window and click Next.
Page 16
Step
12.
13.
Action
To continue with the wizard, please click Next. Note that in the PHP section, there is a
partial selection for a Block action.
We will configure deep protections later in a more granular fashion. However, if you want a
one-stop-shop for multi-level protection, this is where you can configure it. Once you
complete this configuration, you can use the wizard to return and amend it later if you wish.
Select Next to continue.
Page 17
Step
14.
Action
Review the summary. There should be one signature with blocking turned on. Click Finish
to finalize the wizard.
15.
Once all the rules are committed, click on Exit to leave the wizard.
16.
NOTE: We will configure error objects and other options later on.
Open Firefox. In your browser window, enter the following URL:
http://192.168.20.150/WebGoat/attack/admin.php
Page 18
Step
17.
Action
When you press enter, your browser should just display a blank white empty page, and the
URL will change to: http://192.168.20.150/
18.
This means that the request was redirected as it has been blocked.
To view the blocking log, return to Internet Explorer and the NetScaler UI. Expand
Application Firewall > Policies > Auditing (but do not expand it!)
19.
In the right hand window pane, click on Syslog Messages.
Page 19
Step
20.
Action
Select APPFW from the module dropdown, and click on one of the messages. You will see
the violation details below:
Note the action – blocked!
Click Close to return to the previous window.
Summary
Key
Takeaways
NOTES
The key takeaways for this exercise are:

Using the wizard to select signatures to protect your web application.

Attacks that are identified by signatures can blocked in seconds.
 More in-depth blocks can be configured too – we will look at those next.
Click on Application Firewall > Profiles. You will see the profile created by the
wizard. You can modify this through the wizard, or directly from here.
Click on Application Firewall > Policies. You will see the profile created by the
wizard. You can modify this through the wizard, or directly from here.
The wizard binds policies globally – which means all traffic is evaluated against the
expression you configured. It is important to use an expression that will isolate only
the traffic you want to protect.
Page 20
Exercise 3: Configuring Application Firewall
profiles and policies
Overview
In this exercise we will configure the application firewall logging, and create a profile and policy which can
be used to protect our web application. The functionality provided by creating a profile and policy is the
same as using the wizard, but it allows for more granular control.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step Action
1.
Click on the Application Firewall node in the configuration utility, and click on Change
Engine Settings in the right hand pane of the window:
2.
Scroll down to the 5th option from the bottom, and enable CEF Logging. Click OK.
Page 21
Step
3.
Action
OPTIONAL: If you did not enable the Application Firewall in a previous exercise, right
click on the Application Firewall Node, and choose Enable Feature as shown below:
4.
Click on Profiles > Add. Give your profile a name, select the Basic radio button, choose
Web 2.0 Application (HTML, XML, REST) as the profile type, and click Create.
After the profile is created successfully, click Close.
Page 22
Step
5.
Action
For now, we will turn off blocking for all the attack types. In a later exercise we will
configure additional blocking actions.
Open the profile you just created, select the Security Checks tab, deselect all the tick boxes
in the Block column, and check all the learning tick-boxes.
6.
7.
Click OK to save the profile.
Next, we are going to create a new policy that makes use of our new profile. Navigate to
Application Firewall > Policies > Firewall
Page 23
Step
8.
Action
Click Add, give it a name (e.g. AppFW-Pol), and choose your newly created profile from
the drop down.
9.
Next, we will create an expression so that only selected traffic destined to the virtual server
is processed by this policy. Under the Expression window, click Add, and configure it as
shown on the screenshot below:
10.
11.
Click OK at the expression editor and click Create to create the policy. Now click Close.
The last step we will do is to bind the policy to our Load Balanced Virtual Server. Click on
Policy Manager under the Application Firewall > Policies > Firewall node.
Page 24
Step
12.
Action
Click LB Virtual Server, and then click the Load Balanced virtual server you created
previously. Click Insert Policy.
13.
14.
Select the AppFW-Pol from the list and then click Apply Changes.
Now double click on Default Global and note the globally bound policy created by the
wizard.
NOTE: We will use Internet Explorer to configure the appliance and use only Firefox to test the
vulnerability. This will save you time from having to constantly logging on and off from the
NetScaler configuration utility while we test the corresponding vulnerability.
15.
Launch Firefox and navigate to the WebGoat landing page:
http://192.168.20.150/WebGoat/attack
Page 25
Summary
Key
Takeaways
The key takeaways for this exercise are:

Creating Application Firewall Profiles. Note the different ‘actions’ in the
profile. Block, Log, Stat, & Learn.

The profile does nothing unless it is used in an Application Firewall Policy.

NOTES
The policy must be bound somewhere, (either on the Virtual Server or
globally) otherwise traffic will not flow through the Application Firewall
module, and it will not be protected.
There are many different expressions that can be used to invoke the Application
Firewall Policy. We used a destination IP address expression. Can you think of any
other ways of segregating the traffic you need to protect from other http traffic?
There are 3 different ways to bind a policy.
1. One can bind a policy using the policy manager, as shown in this exercise
2. The virtual server can be opened, and there is a policy tab. Click the >> symbol
and choose Application Firewall. One can insert a policy here
3. Use the Command Line Interface
Page 26
Exercise 4: Error Pages & Start URLs
Overview
In this exercise we will look at creating a meaningful error page which can be used during user acceptance
testing (UAT) to give the application user information about what feature caused their request to be
blocked. This is not something you would put on your production profile!!
We will also look at defining a starting point to an application – and blocking requests which do not match
our “allowed” URLs.
At the moment, when you get blocked, the Application Firewall serves a 302 response back to the root of
the site, whereupon you are then served with a HTTP 400 error response:
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step Action
1.
Return to Internet Explorer. Navigate to the Application Firewall node, expand it, and
select Profiles.
2.
3.
Select the profile created before and click Open.
Click on Security Checks tab and select Block on the Start URL option:
Page 27
Step
4.
Action
Click on the two >> symbols under More, and de-select Enforce URL Closure.
5.
6.
Click OK to return to the Security Checks window. Now Click on the Settings tab.
Select HTML Error Object and click on the Import button.
7.
Click Add at the bottom of the page
8.
In the Name field, at the top, enter your error object name (e.g. AppFWCustErrorPage)
Page 28
Step
9.
Action
Paste in the following text: (This text is also in a text file located in the C:\Files folder)
<html>
<head>
<title>Application Firewall Block Page</title>
</head>
<body>
<h1><B>Your request has been blocked by a security policy<B><BR></H1>
<H3>Access has been blocked - if you feel this is in error, please
contact the site
administrators quoting the following: </H3> <UL>
<li>NS Transaction ID: ${NS_TRANSACTION_ID}
<li>AppFW Session ID: ${NS_APPFW_SESSION_ID}
<li>Violation Category: ${NS_APPFW_VIOLATION_CATEGORY}
<li>Violation Details: ${NS_APPFW_VIOLATION_LOG} </UL>
</body>
</html>
10.
Click Create, and click Close to return to the previous window.
Page 29
Step
11.
Action
You should now be back at the Settings tab. Choose the page you have just created from
the dropdown. Click OK.
12.
Revisit the WebGoat URL: http://192.168.20.150/WebGoat/attack. Note that you have
been blocked, and the Violation Category is APPFW_STARTURL.
13.
Next, we will use the System Log messages to allow a relaxation rule. Expand Application
Firewall > Policies > Auditing and click on Syslog Messages in the right hand window
pane.
Page 30
Step
14.
15.
Action
Select AppFW from the Module dropdown. Right-click the entry that contains the block
action and select the Edit & Deploy option.
Verify that the URL we are adding is:
^http://192\.168\.10\.25/WebGoat/attack$
Then click Deploy and Close.
Page 31
Step
16.
17.
Action
Close Firefox and re-open same link again to navigate to the WebGoat landing page. You
should see the WebGoat start page and the request is now allowed.
When the landing page loads, click the Start Button.
Page 32
Step
18.
19.
20.
21.
Action
Click on General and Http Basics on the left hand side, as shown below.
The request should get blocked and redirected to the error page. This is because the
application sees a URL that is not in the Start URL ‘Relaxation’ list.
Return to Internet Explorer where you have the NetScaler configuration utility. Navigate to
Application Firewall > Profiles and open the test-basic-profile object again.
Click on Security Checks, and click on Start URL.
Click on the two >> symbols under the More column, and select Enforce URL Closure.
22.
23.
Click OK and OK again.
Close down Firefox, and re-open it to start a new session. Clear the browser cache. Revisit
the WebGoat page: http://192.168.20.150/WebGoat/attack, and attempt to open the Http
Basics link. You are no longer blocked.
24.
Enter the following (manually) into your browser:
http://192.168.20.110/WebGoat/attack/some/random/url
Note that you get blocked, as this URL is not contained within that page.
Summary
Page 33
Key
Takeaways
The key takeaways for this exercise are:

Start URLs define how you want users to enter your application.

Turning on URL Closure means they can follow any path through the
application as long as it is linked.

You can deploy ‘relaxations’ or exceptions to the rule by turning on CEF
logging, and viewing the logs on the appliance.
NOTES
Page 34
Exercise 5: SQL Injection
Overview
In this exercise we will execute a SQL Injection attack against the WebGoat application. The attack will
succeed until we turn on blocking on the Application Firewall Profile.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1.
Close Firefox. Re-open it and navigate to the WebGoat menu page:
http://192.168.20.150/WebGoat/attack
Click on Injection Flaws and select How to perform Numeric SQL Injection.
Page 35
Step
2.
Action
In the field Enter your Account Number type the following:
101 OR 1=1
3.
Click Go. You show now see all the records from the database:
NOTE: Do you understand the logic of the SQL query, and how this attack works? Refer back to
the referenced article for additional information:
http://en.wikipedia.org/wiki/SQL_injection
Page 36
Step
4.
5.
Action
In the NetScaler configuration utility, open your profile, click on Security Checks, and
enable the Block checkbox for HTML SQL Injection.
Click the two >> to drill down into the SQL Injection protection settings.
De-select the option to Restrict checks to fields containing SQL special characters
Click OK, and OK again to save the changes to the profile.
Page 37
Step
6.
7.
Action
Return to the WebGoat application, and click Restart this Lesson as shown below.
Attempt the same injection once more. Note that you now receive the error page and this
type of attack is blocked.
Summary
Key
Takeaways
NOTES
The key takeaways for this exercise are:

Performing basic numeric SQL Injection
 Viewing the log files and turning on protection against this type of injection.
The string injection can be achieved by using the following:
smith' or '1=1
Page 38
Exercise 6: Stored Cross Site Scripting
Overview
In this exercise we will perform cross site scripting, then enable XSS protection on the Application
Firewall, and confirm that the appliance will block this attack.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1.
Return to Firefox and reload the WebGoat page. In the left-hand menu, browse to CrossSite Scripting (XSS) and click on How to Perform Stored Cross Site Scripting (XSS)
For this vulnerability, WebGoat uses a text field input that attackers can leverage to submit and store
malicious scripts on a known site.
2.
Enter some text in the title, e.g. “Win an iPad”
Page 39
Step
3.
Action
To simulate a JavaScript XSS attack, enter the following line in the Message body:
<script type="text/javascript">alert ("Script
Executed")</script>
Click Submit.
4.
5.
NOTE: This text above is also stored in a text file called XSS.txt in the C:\Files
directory on the Site2-Win7Client VM if you would like to copy and paste the text.
You will now see your message with a link to the title. Click on the link, you should see the
following alert message indicating that the script has executed:
Fortunately, this script does nothing other than sending an alert; however, other scripts
might not be so friendly! 
Back in Internet Explorer, return to the NetScaler configuration utility. Open up your
Application Firewall profile, and turn on blocking for HTML Cross-Site Scripting:
Click OK.
Page 40
Step
6.
7.
8.
Action
Return to WebGoat, and attempt to add a new message using the same script.
Confirm that you are blocked by the Application Firewall.
Rather than blocking the request, you might want to transform the script into HTML safe
code. For this, we can use some of the Transformation options under the HTML CrossSite Scripting Check.
Return to the Cross Site Scripting security check, turn OFF blocking, and turn ON
Transform cross-site scripts and Check complete URLs for cross-site scripting.
Click OK and OK.
Page 41
Step
9.
Action
Perform the same attack again, and note that it allows you to submit the form. However,
when you click on the title, no script is executed as the < and > characters are transformed
into HTML safe characters: “%26lt;” and “%26gt;” (Hint: Inspect the source to
verify).
This means the browser displays the symbol, but does not interpret it as the beginning of a
script.
Summary
Key
Takeaways
NOTES
The key takeaways for this exercise are:

Turning on Cross Site Scripting protection
 Transforming dangerous characters.
How Citrix Application Firewall Modifies Application Data Traffic:
http://support.citrix.com/article/CTX131488
Page 42
Exercise 7: Cenzic and Qualys Integration
Overview
In this exercise we will upload a report from a 3rd party web application vulnerability scanner.
Step by step guidance
Estimated time to complete this lab: 5 minutes.
Step Action
NetScaler is now integrated with 3rd party vulnerability reports. This is a very quick way of protecting
a web app against vulnerabilities found by either Cenzic or Qualys. The resultant scan file just needs
to be imported onto the appliance for added protection. In this exercise, we will use an existing
signature file located in the C:\Files directory on Site2-Win7Client VM.
1.
Open Application Firewall > Signatures. Select Wizard-Profile and click Update
Page 43
Step
2.
3.
4.
5.
6.
Action
Select the External Format tab. From XSLT select the Use Built-in XSLT File and
choose either Cenzic of Qualys from the drop-down list
Under Import select the Import from Local File radio button and click Browse. Navigate
to C:\Files, and select either Cenzic_2011-04-01_09-01.xml or
qualys_10099681.xml report.
Click the Update button.
Here the new rules can be reviewed before being enabled, and set to Block, log or learn.
We will not enable any of these signatures as this is just for demo purposes. Click OK to
import them.
Summary
Page 44
Key
Takeaways
The key takeaways for this exercise are:

How to upload reports from supported 3rd party vulnerability scanners
resulting in signatures being applied directly to a profile.
NOTES
Page 45
Exercise 8: Form Field Consistency
Overview
In this exercise, we will use another tool to intercept and manipulate our browsers responses in an attempt
to bypass limited validation on the server side. To do this, we will configure our Browser to send the
requests through a local proxy running on the same workstation. This allows us to trap the request and
modify any parameters before they are sent back to the server. Please follow the instructions closely.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step Action
1.
Close Firefox and double click the Paros icon on your desktop. This will run the local
proxy and monitor for any incoming requests. Leave the Paros window minimized for now.
2.
Open Firefox and press the Alt key to display the hidden menu. Then click on Tools >
Options > Advanced > Network > Connection > Settings :
Page 46
Step
3.
4.
Action
Choose the manual proxy configuration, and enter localhost and 8080 for the port number.
Clear the exception list (“No proxy for” section)
Click OK and OK again to return to the main browser window.
Page 47
Step
5.
Action
In Firefox, launch the WebGoat URL and click on Start to reach the main WebGoat menu.
Since all requests are now being proxied through Paros, you might notice a slight delay
when navigating any site.
OPTIONAL: If you check Paros, you will see that it has registered all requests and logged
the URLs. Minimize Paros after you are done.
6.
Back in WebGoat, click Unvalidated Parameters, and select How to Exploit Hidden
Fields.
Page 48
Step
7.
Action
You should see a form called Shopping Cart with a HDTV product. Do not input
anything yet.
8.
Now, return to Paros, and select the Trap tab, and check the Trap Request checkbox.
9.
Return to the web form, and click Purchase.
Page 49
Step
10.
Action
Back in Paros, you should see some data in your Trap.
Perform these four steps:
1. Deselect Trap Request checkbox – as we don’t want to trap anything else after we
complete our attack.
2. Change the quantity to 10
3. Change the price to 1
4. Click Continue
11.
Minimize Paros, and you should have successfully completed this attack. Congratulations,
you just bought 10 HDTVs for U$10 
Page 50
Step
12.
Action
To prevent this type of attack, we can enable the Field Consistency Check. In Internet
Explorer, return to the NetScaler Configuration Utility, and open the Application Firewall
Profile. Go to the Form Field Consistency Check, turn on Blocking, Log, Stat and Learn.
Click OK to save the changes.
13.
In WebGoat, click Restart this Lesson and repeat the attack again (steps 7 to 10).
Were you successful this time? The second attack attempt should have been blocked.
Page 51
Step
14.
Action
Go back into Firefox and remove the proxy settings (i.e. No Proxy) and close down Paros
before moving onto the next lab exercise.
Summary
Key
Takeaways
The key takeaways for this exercise are:

How to test if there is no server-side validation using Paros

How to use the form field consistency protection to prevent attacks of this
nature.
NOTES
Page 52
Exercise 9: Cookie Protection / Proxying
Overview
In this exercise, we will view the session cookie that gets sent by an application, and then engage the
NetScaler Application Firewall cookie protection feature. We will see that application cookies are no
longer sent to the client browser – they are stored on the appliance. We can also choose to encrypt cookies
– so they are sent to the client, but in an encrypted format.
In order to visualize the cookies exchanged between our browser and the backend server, we will use a
Firefox plugin (HttpFox) already installed on your workstation. Please follow the instructions closely if you
are not familiar with this plugin.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1.
In Firefox, press the Alt key and then click on Tools > Web Developer > HttpFox >
Toggle HttpFox
2.
Click Start in HttpFox and then navigate to the WebGoat home page:
http://192.168.20.150/WebGoat/attack
In HttpFox, You should see the HTTP headers being displayed.
Page 53
Step
3.
4.
5.
6.
Action
Note the JSESSION cookie by clicking on the HttpFox Cookies tab and selecting any
request:
You will also notice cookies starting with ‘Citrix’ – these are the Application Firewall
cookies.
Shut down Firefox. In the NetScaler configuration Utility, navigate to Application Firewall
> Profiles. Open the profile: test-basic-profile.
In the Security Checks tab, click the two >> symbols opposite Cookie Consistency tick
the Transform box, and choose the Session Only drop-down option from the Proxy
Server Cookie item:
Click OK and OK again to commit the changes.
Open Firefox again. Turn on HttpFox and click start to start displaying the HTTP headers
once more. Navigate to the WebGoat URL.
Page 54
Step
7.
Action
After the page loads, review the request list in HttpFox. Scroll to the top and click on the
http://192.168.20.110/WEbGoat/attack request listed in HttpFox. Since this was the first
URL we browsed to, the request should be at the very top. Click the cookies tab. Note the
absence of any JSESSION Cookie.
Since we activated the Cookie Proxy protection feature for session cookies, the appliance encrypts
the application cookies and send a single AppFW cookie (labeled citrix_ns_id) to the browser. When
the browser issues another request, it will include the AppFW cookie and the NetScaler appliance
will send the original application cookies to the server without either party being aware that the
cookie never left the datacenter.
Summary
Key
Takeaways
The key takeaways for this exercise are:

Viewing application cookies

Proxying the cookies on the Application Firewall
Page 55
NOTES
Cookies can also be sent out to the client, but encrypted on the appliance first.
When the cookie is submitted back to the Application Firewall by the browser, the
application firewall will decrypt the cookie and send the unencrypted cookie string
back to the web server. The web server is completely unaware that its cookie was
encrypted and decrypted, and the unencrypted cookie text never left the datacenter.
There is also a lab under “Broken Authentication and Session Management” >
“How to Spoof an Authentication Cookie” where logging on as aspect \ aspect
will generate a cookie called AuthCookie with a value of 65432udfqtb. You can
choose to encrypt this value on the Application Firewall instead of proxying it. If
you have time at the end of this learning lab, please try encrypting the cookie, and
ask the instructor or one of the facilitators to step through this if you run into
problems.
Page 56
Exercise 10: Learning
Overview
In this exercise, we will take a look at the learning engine in order to see just how easy it is to deploy
specific rules that describe specific application behavior. This allows an Application Firewall administrator
to create a positive security model or whitelist from rules learned and created on-the-fly by the appliance.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1.
In the NetScaler configuration utility, open the test Application Firewall profile (test-basicprofile), navigate to the Security Checks tab and double-click on Start URL.
2.
When the properties window opens, click on Learning…
Page 57
Step
3.
4.
Action
It may take a few seconds for the Learned Rules to populate. This allows you to deploy
rules which the Application Firewall has seen and may have blocked.
In a real world scenario, this list may contain some malicious attacks, so you do not want to
deploy everything here. The list may also be quite extensive. If too many rules are shown,
then you can use the Visualizer for a better view of the learned rules.
Page 58
Step
5.
Action
Click the Visualizer button. The resolution of 1024x768 is just enough to see this window.
6.
Here you can change the number of nodes to see, and set the maximum and minimum
number of hits to filter out one off occurrences etc.
You can choose Edit & Deploy or just Deploy to create relaxations in a similar fashion as
when we deployed rules from the SYSLOG in exercise 4.
7.
Summary
Key
Takeaways
NOTES
The key takeaways for this exercise are:

Viewing learned rules

Using the visualizer to view large volumes of learned data.
Every protection that has a Learning checkbox can have relaxations deployed in
this manner.
Page 59
Exercise 11: HTML Comment Stripping
Overview
In this exercise you will learn how to strip out HTML comments which can often contain sensitive data
left by web developers as they test or debug their code.
Step by step guidance
Estimated time to complete this lab: 5 minutes.
Step Action
1.
Back in the WebGoat application, click on Code Quality in the left hand menu, and select
How to Discover Clues in the HTML exercise. You should see a page asking you to sign
in.
Page 60
Step
2.
3.
Action
Right click the page, and view the HTML source.
In the HTML code, you should see the following comment:
<!--
FIXME admin:adminpw
-->
These credentials will allow you to login. To prevent this attack, we will use the HTML comment
stripping check to remove any unnecessary comments from the HTML source in case a developer
has inadvertently left some sensitive information.
4.
In the NetScaler Configuration Utility, browse to Application Firewall > Profiles and
open the test profile: test-basic-profile.
Page 61
Step
5.
6.
7.
Action
Under the settings tab, change the Strip HTML Comments field to All
Click OK
Go back to Firefox and refresh the WebGoat page which displays the login field. Open the
page source once more
Note that the comment tags are still there, but the sensitive information has been stripped.
Summary
Key
Takeaways
The key takeaways for this exercise are:

It is possible to strip comments from the HTML content sent to a browser.
Some script functionality can be wrapped in comment tags, so comment
stripping can inadvertently disable some script functionality. We have an
exclusion for this in HTML comment stripping which you may have
noticed in the drop down.
Page 62
NOTES
HTML Source can contain lots of clues – especially buried in the comments. This
information is not displayed in the browser, so unless the source received by the
browser is reviewed periodically, this information can slip by unnoticed.
Page 63
Revision History
Revision
Change Description
Updated By
Date
1.0
Original Version
David Jimenez &
Curtis Kegler
03/16/2013
1.1
Revised Self-Paced Online Lab version
Andrew Sandford
11/08/2013
About Citrix
Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service
technologies for more than 230,000 organizations worldwide. It’s Citrix Delivery Center, Citrix Cloud Center (C3)
and Citrix Online Services product families radically simplify computing for millions of users, delivering applications
as an on-demand service to any user, in any location on any device. Citrix customers include the world’s largest
Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses
and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries.
Founded in 1989, annual revenue in 2008 was $1.6 billion.
http://www.citrix.com
© 2013 Citrix Systems, Inc. All rights reserved. Citrix®, Citrix Delivery Center™, Citrix Cloud Center™,
XenApp™, XenServer™, NetScaler®, XenDesktop™, Citrix Repeater™, Citrix Receiver™, Citrix Workflow
Studio™, GoToMyPC®, GoToAssist®, GoToMeeting®, GoToWebinar®, GoView™ and HiDef Corporate™ are
trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States
Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of
their respective owners.
Page 64