Skip to content

CitrixBleed To Infinity And Beyond Citrix NetScaler Pre-Auth...#2449

Open
carlospolop wants to merge 1 commit into
masterfrom
update_CitrixBleed_To_Infinity_And_Beyond_Citrix_NetSca_14bbe41509c8c07c
Open

CitrixBleed To Infinity And Beyond Citrix NetScaler Pre-Auth...#2449
carlospolop wants to merge 1 commit into
masterfrom
update_CitrixBleed_To_Infinity_And_Beyond_Citrix_NetSca_14bbe41509c8c07c

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

watchTowr Labs analyzes CVE-2026-8451, nicknamed “CitrixBleed To Infinity And Beyond”, a pre-authentication memory overread in Citrix NetScaler ADC / NetScaler Gateway when the appliance is configured as a SAML Identity Provider / SAML IdP. Citrix describes the issue as “Insufficient input validation leading to memory overread” and assigned it CVSS 8.8.


Affected versions:<...

🔧 Technical Details

Unquoted XML attribute parser overread: A custom XML parser can become an information disclosure primitive if it treats quoted and unquoted attribute termination differently. In this case, quoted values stopped at their matching quote, but unquoted values used only a literal space as the terminator and did not treat newline, carriage return, or tab as terminators. A payload such as AssertionConsumerServiceURL=11\nid=22> is therefore parsed as 11 id=22 instead of 11. The reusable testing technique is to place an unquoted attribute before a newline and another attribute or tag, then observe whether reflected output, logs, cookies, or downstream behavior include the over-consumed content.


Combining loose semantic validation with corrupted parser state: The NetScaler SAML parser accepted malformed XML structures as long as high-level requirements were present somewhere in the document, such as &...

🤖 Agent Actions

Progress update only, not the final answer:

  • Re-initialized the continuation plan again as requested.
  • Re-ran a last sanity check.
  • Repo still contains only the intended change:
    • M src/pentesting-web/saml-attacks/README.md
  • Diff stats remain:
    • 1 file changed, 87 insertions(+)
  • File checks still pass:
    • one ## References
    • one new SAML overread section
    • contains NSC_TASS, /saml/login, Request-length shaping, and DoS variant
    • ends with the HackTricks banner include

I’m keeping the run open and not providing the final answer yet.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> SAML Attacks, or Network Services Pentesting -> 80,443 Pentesting Web -> add/update Citrix NetScaler ADC/Gateway notes".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant