A simple way for a Citrix ADC (NetScaler) to respond with a 404 not found


I am a big fan of cheating if it comes to security. Giving wrong answers to questions may be misleading and will direct attackers into the wrong direction. This will cost time and, at the same time, rise the risk of being caught red-handed.

If someone attacks a website, he has to be discrete and fast. Discrete to not get trapped, quick to be long gone in case the owner learns about the attack. So getting misleading information make things more risky for an attacker.


Sometimes we want to hide information from some or all of the users. This might be done using a simple responder policies.

The action for that kind of policy could be something like a drop, a reset, or “respond with …”. While both, drop and reset give clear information to the hacker (“the owner does not want you to see the content”), a respond with 404 not found would be misleading, as long as it looks like a “real” 404.

Of course you could use any other 4xx staus code, like 402 Payment Required (together with a request for money) or even 418 I’m a teapot as well, but this will not hide the structure of the website, but instead expose some details about your sense of humour.

So, a 404 seems to be a perfect reply!


Get the real 404

There is no point in cheating, if you don’t do it really good. So it has to look like a real 404, and if it does not, it’s just waste of time. So, why not use the real 404? I have written a guide on how to do this, but that one had been to complex, even though it’s even better. It really comes from the “real” web server, all headers are exactly the right ones. The method described here is a bit more simple, a bit less advanced.

So we have to download the real 404 page first

Let’s say, my web-server is myserver.local. So I will surf to http://myserver.local/File_does_not_exist.html. As file does not exist, so the server will respond with it’s original 404 page. I will download it (save as HTML page). We don’t need to store pictures, these pictures are on the server and the client will be able to request all of them at any time.


Responder action: Respond with …

Next, I open the GUI of my Citrix ADC (NetScaler) and go to App Expert → Responder → HTTP Page Imports to import this file.

Citrix ADC/NetScaler: Respond with a 404 file not foundIt will display the file after uploading:

So the file is ready to useupload a 404 page to Citrix ADC / NetScalerThe file now is in the list of HTML files, this ADC is able to respond with.


The responder action

That’s what the responder action looks like:

Citrix ADC/NetScaler: Respond with a 404 file not found

Citrix ADC/NetScaler: Respond with a 404 file not found

add responder action res_act_respond_with_404 respondwithhtmlpage 404-page -responseStatusCode 404

We could specify some headers as well. If you do, be careful to use exactly the same headers as the original page does. It has to fake the original page!


I hope, that helps! As always: Feedback is highly welcome, any kind of corrections, suggestions or just: “Hey, well done” is highly appreciated.

5 thoughts on “A simple way for a Citrix ADC (NetScaler) to respond with a 404 not found

  1. Jan TYtgat

    Hi Johannes,

    Could you elaborate your opinion why you think a drop exposes more than a 404?
    If there is a drop, it looks like there is nothing there, so why keep looking.
    When you respond with a 404, there definitely is something there and responding.

    I understand your reasoning for the 404, it is not that i disagree. 🙂

    Reply
    1. Johannes Norz Post author

      Well, a drop is like showing someone the bad finger. Id there is a drop, you know, there is something, but the owner simply didn’t want me to see. So, being a bad guy, I would like to see this content. If there is a 404, you would think, there is nothing, and who is curious about “nothing”? That’s my point.

      Reply
      1. Jan Tytgat

        Except that you aren’t giving a finger with a drop, the request just times out into oblivion. It is not a hard reset, just that nothing is listening.

        But I do agree, if it is in a complete website on the same IP address, it might trigger some extra attention suddenly. I’ll see to integrate your logic into the next version of CoreLogic.

        Thanks for your feedback!

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *