Pentesting Citrix hosted app
1,331 views
Skip to first unread message
Ajay Nunna
Apr 29, 2016, 7:07:19 AM4/29/16
to null-...@googlegroups.com
Hi Team,
I have come across a pen test where I need to test an app that is hosted on Citrix env.
Now my doubt how we test the app.
While accessing the app , came to know to that it can be accessed via Citrix native client --- lauch.ica
Java client -- some jars
Now I tried intercepting the traffic using echo mirage , but all data is encrypted.
And not able to configure burp for this as well.
So needed help form the community on how to go ahead on Pentesting this application.
Regards,
AJAY NUNNA
Sent from my iPhone
I have come across a pen test where I need to test an app that is hosted on Citrix env.
Now my doubt how we test the app.
While accessing the app , came to know to that it can be accessed via Citrix native client --- lauch.ica
Java client -- some jars
Now I tried intercepting the traffic using echo mirage , but all data is encrypted.
And not able to configure burp for this as well.
So needed help form the community on how to go ahead on Pentesting this application.
Regards,
AJAY NUNNA
Sent from my iPhone
ch1c0 hacker
Apr 29, 2016, 8:50:05 AM4/29/16
to null
Hello Ajay,
When it comes to testing an application available in CITRIX, we have to test
- the application inside the CITRIX box
- then the CITRIX configurations
* so as to confirm the build is secure,
* authorization controls on CITRIX box are good,
* possibility of privilege access etc
- it's authentication controls
- then confirm all the versions of client software on which your CITRIX application would open are vulnerable free
- LASTLY, if all your company related policies are implemented the right way.
These are my few thoughts on testing CITRIX based applications.
Hope this is helpful!
Your's Friendly
CH1C0 HACKER.
Ajay Srivastava
Apr 29, 2016, 10:44:53 AM4/29/16
to null-...@googlegroups.com
Hi Ajay
You can try breaking out of a citrix environment.
Refer these blogs:
With Regards
Ajay Srivastava
--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.
Ajay Nunna
Apr 29, 2016, 3:49:55 PM4/29/16
to null-...@googlegroups.com
Team,
Thank you guys for your inputs.
My concern here how to test the app and rest all I was able to cover,
Like I was able to RDP TO the server.
So if any one idea on how to intercept the traffic between client/app to Citrix server
Sent from my iPhone
Akash
May 19, 2016, 2:02:33 AM5/19/16
to null-...@googlegroups.com
This link might be useful as well.
Warm regards,
Akash Mahajan
That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager
Akash Mahajan
That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager
Reply all
Reply to author
Forward
0 new messages