I was able to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup that I used was like below.
![]()
The second request was sent with the same content and an additional HTTP header which was “Content-Type: application/octet-stream”. It was misinterpreted by the web server, although it bypassed the WAF. It was useless, anyway.
![]()
The third request was sent with two additional HTTP headers which were “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request was able to bypass the WAF and web server correctly ran it.
![]()
Vendor Contact Progress:
02.02.2015 - Bug reported to the vendor.
04.02.2015 - Vendor returned with a case ID.
05.02.2015 - Detailed info/config given.
12.02.2015 - Asked about the case.
16.02.2015 - Vendor returned "investigating ..."
06.03.2015 - Asked about the case.
06.03.2015 - Vendor has validated the issue.
12.03.2015 - There aren't any fix addressing the issue.
- An Apache web server with default configuration on Windows (XAMPP).
- A SOAP web service which has written in PHP and vulnerable to SQL injection.
- Netscaler WAF with SQL injection rules.
The second request was sent with the same content and an additional HTTP header which was “Content-Type: application/octet-stream”. It was misinterpreted by the web server, although it bypassed the WAF. It was useless, anyway.
The third request was sent with two additional HTTP headers which were “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request was able to bypass the WAF and web server correctly ran it.
Vendor Contact Progress:
02.02.2015 - Bug reported to the vendor.
04.02.2015 - Vendor returned with a case ID.
05.02.2015 - Detailed info/config given.
12.02.2015 - Asked about the case.
16.02.2015 - Vendor returned "investigating ..."
06.03.2015 - Asked about the case.
06.03.2015 - Vendor has validated the issue.
12.03.2015 - There aren't any fix addressing the issue.