Citrix WAF

The Citrix Web Application Firewall

Every professional web page needs to have a WAF, a web application firewall. It protects a web page on a high level. Don’t mix it up with a stateful inspection firewall like Fortigate, Checkpoint, or Sonicwall! A WAF is a pure Layer 7 device. It checks requests and responses against a set of rules, and acts accordingly in case data traversing the WAF does not match the rules.

Johannes’s blog hosts a guide on how to set up a WAF. This page here will show you, how to use Wonderkitchen’s hosted websites to test your WAF.

Setting up a WAF is not a job for newbies! So you should be done with most of the labs until here. You should be a good friend of responding/rewriting (not to say, an old hand of rewriting), load-balancing and content switching should be easy for you.

The red server, red.wonderkitchen.network contains several test files. It’s still under development, so there are more to come.

The Dialogue pages

There are several dialogue pages. You may find them from here.

You can use these for:

  • Start-URL
  • Deny-URL
  • Form Field consistency
  • Field Formats
  • CRSF Form Tagging
  • Cross Site Scripting
  • HTML SQL Injection
  • HTML Command Injection

The “Logon Page”

There is a dummy logon page. It’s rather primitive. The username is test, the password is Password1. It leads you to the Dialogue main page (so the authentication procedure may get bypassed easily).

It will be your job to make this logon secure! (you won’t have any influence on the strength of the password, to be honest, it is like it is)

You may use this one to test:

  • Start-URL with forced
  • Creating a bit more complex WAF

The Credit Cards Demo page

The Credit Card demo page contains several credit card numbers (both, valid ones and invalid ones) as well as random numbers (it’s the first 500 digits of PI)

You may use this one to test:

  • Credit Card
  • Deny URLs

The Save Object Test Page

Contains some strings (key words and phone numbers) that should be treated as save objects and not get exposed to the public.

You may use this one to test:

  • Save Objects
  • Deny URLs

The not directly linked pages

Following the linker.htm page you’ll find some pages not linked from the start page

You may use this one to test:

  • Start-URL with forced




Leave a Comment

Your email address will not be published.