HTTP request smuggling is a type of attack that takes advantage of differences between the way sequences of HTTP requests are processed by a web server and one or more intermediate devices, like a Citrix ADC load balancer. HTTP Request smuggling attacks are possible when requests from different clients are received by the intermediate device and then multiplexed, pipelined and forwarded on to a back-end server over the same network connection. If the back-end server does not process these sequences of requests in the same way as the intermediate device, a maliciously crafted HTTP request could interfere with other legitimate HTTP traffic, potentially allowing the attacker unauthorized access to other users’ data.  

As noted in the security bulletin CTX281474, the following Citrix ADC builds contain enhancements to help customers mitigate against HTTP smuggling attacks:

• Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
• Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
• Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
• Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases

In order to allow a wide variety of client/server transactions, Citrix ADC has a default lenient setting for parsing HTTP requests. However, an enhanced level of protection against HTTP Request Smuggling attacks can be provided by binding an in-built HTTP profile, nshttp_default_strict_validation, to one or more virtual servers by using the following commands on the CLI: 

set lb vserver <vserver_name> -httpProfileName nshttp_default_strict_validation 
set cs vserver <vserver_name> -httpProfileName nshttp_default_strict_validation 

Please note that customers are strongly advised to test these settings prior to deployment in a production environment. 

Customers who encounter any problems in deploying the above HTTP profile can alternatively disable HTTP multiplexing.  This can be done globally, across all services, using:  

set ns httpParam -conMultiplex DISABLED

OR, alternatively, per profile using: 

set httpProfile <profile_name> -conMultiplex DISABLED 

Please note that, depending on the capability of the back-end web server, there may be a minor performance impact as a result of disabling HTTP multiplexing because a separate TCP connection will be created for each client connection. Customers are advised to test this configuration prior to deployment in a production environment.