I was able to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup that I used was like below.
- An Apache web server with default configuration on Windows (XAMPP).
- A SOAP web service which has written in PHP and vulnerable to SQL injection.
- Netscaler WAF with SQL injection rules.
First request was a basic SQL injection payload which was ‘ union select current_user,2# and Netscaler blocked it.
The second request was sent with the same content and an additional HTTP
header which was “Content-Type: application/octet-stream”. It was
misinterpreted by the web server, although it bypassed the WAF. It was
useless, anyway.
The third request was sent with two additional HTTP headers which were
“Content-Type: application/octet-stream” and “Content-Type: text/xml” in
that order. The request was able to bypass the WAF and web server
correctly ran it.
Vendor Contact Progress:
02.02.2015 – Bug reported to the vendor.
04.02.2015 – Vendor returned with a case ID.
05.02.2015 – Detailed info/config given.
12.02.2015 – Asked about the case.
16.02.2015 – Vendor returned “investigating …”
06.03.2015 – Asked about the case.
06.03.2015 – Vendor has validated the issue.
12.03.2015 – There aren’t any fix addressing the issue.
