Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution

Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution: It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup: An Apache web server with default configuration on Windows (XAMPP). A SOAP web service which has written in PHP and vulnerable to SQL injection. Netscaler WAF with SQL injection rules.First request: ‘ union select current_user,2# – Netscaler blocks it.

Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. – It bypasses the WAF but the web server misinterprets it.

Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it.