How to encrypt CsrfToken through Netscaler Gateway to increase security

How to encrypt CsrfToken through Netscaler Gateway to increase security

book

Article ID: CTX226358

calendar_today

Updated On:

Description

Objective:

In this article we would provide you a series of expression that would allow you encrypt the CsrfToken created while connecting to Storefront through Netscaler Gateway.


Instructions:


First we create a rewrite action/policy to encrypt the CsrfToken cookie that is being inserted by the Storefront Server once the user authenticate:

add rewrite action rp_cookie_with_encrypted_act replace "HTTP.RES.SET_COOKIE.COOKIE(\"CsrfToken\").VALUE(0)" "HTTP.RES.SET_COOKIE.COOKIE(\"CsrfToken\").VALUE(0).ENCRYPT"
add rewrite policy rp_cookie_with_encrypted_pol "HTTP.RES.SET_COOKIE.COOKIE(\"CsrfToken\").LENGTH.GT(0)" rp_cookie_with_encrypted_act

We bind it to the VSERVER in the response:

bind vpn vserver SimpleGWhardware.lab -policy rp_cookie_with_encrypted_pol -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

Then we create a rewrite action/policy to decrypt the previously encrypted cookie on the traffic from the client to Storefront server:

add rewrite action rp_encrypted_cookie_with_decrypted_act replace "HTTP.REQ.COOKIE.VALUE(\"CsrfToken\")" "HTTP.REQ.COOKIE.VALUE(\"CsrfToken\").DECRYPT"
add rewrite policy rp_encrypted_cookie_with_decrypted_pol "HTTP.REQ.COOKIE.VALUE(\"CsrfToken\").LENGTH.GT(0)" rp_encrypted_cookie_with_decrypted_act

We bind it to the VSERVER in the request:

bind vpn vserver SimpleGWhardware.lab -policy rp_encrypted_cookie_with_decrypted_pol -priority 100 -gotoPriorityExpression NEXT -type REQUEST

This cookie creates an HTTP header called Csrf-Token that we will need to decrypt to for the Storefront Server to reply properly.

add rewrite action Decrypt_Csrf-Token_HEADER_ACT replace "HTTP.REQ.HEADER(\"Csrf-Token\")" "HTTP.REQ.HEADER(\"Csrf-Token\").DECRYPT"
add rewrite policy Decrypt_CsrfToken_HEADER_POL "HTTP.REQ.HEADER(\"Csrf-Token\").LENGTH.GT(0)" Decrypt_Csrf-Token_HEADER_ACT 

We bind it to the VSERVER in the request:

bind vpn vserver SimpleGWhardware.lab -policy Decrypt_CsrfToken_HEADER_POL -priority 10 -gotoPriorityExpression NEXT -type REQUEST

When LaunchICA request is made , CSRF token will be sent in the Query part of the URL. We need Decrypt the CSRF token by using below rewrite policy/action 

add rewrite action Replace_Query_PATH_ACT replace "HTTP.REQ.URL.QUERY.AFTER_STR(\"CsrfToken=\").BEFORE_STR(\"&IsUsingHttps\")" "HTTP.REQ.URL.QUERY.AFTER_STR(\"CsrfToken=\").BEFORE_STR(\"&IsUsingHttps\").DECRYPT"

add rewrite policy Replace_Query_PATH_POL "HTTP.REQ.URL.PATH_AND_QUERY.CONTAINS(\"LaunchIca\")" Replace_Query_PATH_ACT

bind vpn vserver SimpleGWhardware.lab -policy Replace_Query_PATH_POL -priority 120 -gotoPriorityExpression NEXT -type REQUEST

Note:
If you are using double hop configuration, the Replace_Query_PATH_ACT rewrite would need to be configured on both ADC's
 

Powered by Wolken Software