Citrix Gateway XSS & Open Redirection (CVE-2023–24488)

Vaibhav Kumar Srivastava
2 min readJul 27, 2023

--

Hello, everyone! The Citrix gateway CVE has been in the news a lot over the last few weeks. Let’s explore how one can identify the endpoints and understand this vulnerability better. However, please remember that the purpose of this exploration should be for learning and understanding, not for exploiting the vulnerability.

Reconnn!! Before exploiting the vulnerability, you should be able to find the endpoints which may or may not be vulnerable to the above mentioned CVE.

Google Dorks:

1: inurl:/LogonPoint/tmindex.html

2: inurl:/vpn/index.html

Exploit Process!

In order to verify if the above mentioned endpoints are vulnerable to the CVE or not, follow the steps mentioned below.

Step 1: Navigate to the endpoint

Example: https://example.com/logon/LogonPoint/tmindex.html

Step 2: Modify the URL by adding the payload and hit enter. You will observe that the cookies details will get popped up on your screen. For some instances the cookies information won’t be available because of HTTPonly attribute but you can still try for other payloads.

Example: https://example.com/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E

Step 3: Once XSS is confirmed, you can check for open-redirection too, just by adding the target domain in the “post_logout_redirect_uri” parameter.

Example: https://example.com/oauth/idp/logout?post_logout_redirect_uri=https://evil.com

Is there any automation tool available for the same?

Yes, you can use nuclei template for the same which has been already released. You can also craft your own command using grep and httpx for the same.

Is there any patch available for the CVE?

Yes, the patch has been already released in the new version and the affected applications can update to the latest release.

You can find the details: https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488

Is there any source where I can read more about this CVE?

STAY CURIOUS!! STAY PROTECTED!!

--

--

Vaibhav Kumar Srivastava
Vaibhav Kumar Srivastava

Written by Vaibhav Kumar Srivastava

Penetration Tester | Masters in Information Security

No responses yet