making security even easier


Captcha in Citrix XenApp Web Interface

A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person
Automated requests can easily use a brute force attack on a company's WI website & crack into their systems, or at least in most cases succeed to permanently lock out AD account(s) (in MS Win environments with lockout policy enabled) .

I managed to successfully implement captcha for WI 5.3, but I am sure the same code would work on other 5.x interfaces without major mods.
Tested on all 5.x releases of WI.


Demo of captcha implemented in Citrix XenApp Web Interface 5.3:



Follow these steps to enable captcha (I recommend to test it on a separate website to make sure your production WI is not affected )

1. Upload image generator script and test if it generates the image properly
The script can be obtained here.
Upload the file to auth folder of your website (C:/inetpub/wwwroot/Citrix/XenApp/auth) and allow it to run w/o authentification by adding it to "AUTH:UNPROTECTED_PAGES" section of site's web.config file:
- Open site's web.config file
- Locate appSettings -> add key="AUTH:UNPROTECTED_PAGES" attribute and add "captcha-image.aspx" into the value field.
- It should look like this -- value="/rade.aspx,/auth/style.aspx,/auth/captcha-image.aspx,/auth/javascript.aspx,/auth...
Now, launch the script using a browser. It should generate an image like this


- You can modify bg color of the image by changing objGraphics.Clear(Color.Green); and the font to be used by changing Font objFont = new Font("Chiller", 11, FontStyle.Bold); in captcha-image.aspx

2. Modify login form to show captcha image and input field

Open loginMainForm.inc ( C:/inetpub/wwwroot/Citrix/XenApp/app_data/include) and add following lines:
- Just before < table class="loginForm"
----------------
<script>

document.cookie='captcha=0000';

</script>

----------------

- Right after } // End Domain   

----------------
%>
<tr><td align=right>Captcha:</td><td> <img src=captcha-image.aspx border=0 width=60 height=20> <input size=6 type=text id=captcha onKeyUp="document.cookie='captcha='+document.getElementById('captcha').value;" >

</td></tr> <%

----------------

Now, navigate to your WI site to check if you see the captcha image and text box on your login form, similar to the screenshot below.


3. Modify login.aspx to check captcha before authentication process starts
- locate layout.PageView = "loginView.ascx"; and paste the following code right after.
-------------
string strData =Request.ServerVariables["HTTP_COOKIE"];

if (Session.Contents["CaptchaStr"] == null ) { Session.Contents["CaptchaStr"] = ""; }


if ( Session.Contents["CaptchaStr"].ToString().Length != 0 && Request.ServerVariables["HTTP_REFERER"].Contains("login.aspx") ) {

string captcha = "0000";
string[] separator = new string[] { ";" };
string[] strSplitArr = strData.Split( separator, StringSplitOptions.RemoveEmptyEntries);
foreach (string arrStr in strSplitArr)
{
string[] arrFind = arrStr.Split(new Char[] {'='}, 3);
if (arrFind[0].Contains("captcha") && arrFind[1].Length != 0 ) { captcha = arrFind[1]; }

}



if( captcha.ToString()== Session.Contents["CaptchaStr"].ToString() ) {


Response.Write(captcha+"-"+Session.Contents["CaptchaStr"]);


} else {


Session.Remove("CaptchaStr");


Response.Redirect("~/html/serverErrorCaptcha.html");
Response.End();


}

}

----------------------

If you do not have any other mods, you can download and use this login.aspx file

4. Add captcha error page
As you might have noticed, in case captcha is entered wrong, login script redirects users to ~/html/serverErrorCaptcha.html. You have to create it in C:/inetpub/wwwroot/Citrix/XenApp/html/ . You can use this file

 



That should be it. You now have a captcha verification for your WI. Please note that with this mod, captcha is checked before anything else, so even if username and password are entered , it will not even try to authenticate when captcha code is wrong.

 

If no customization has  been made, just extract contents of this zip file over your WI site.

<< Go back to the previous page


G+ profile


follow me : github, habrahabr , linkedin
Feel free to contact me directly :
emin --at huseynov --dot com

Other projects

Google authenticator for Citrix StoreFront
Google authenticator for Citrix Web Interface 5.4
MOTP App with QR based enrolment

Two-factor authentication for Citrix Web Interface 5.x – Pure ASP/C# Implementation

Captcha for Citrix Web Interface 5.x

MOTP Passtore

2FA with Face recognition

Token2


Not security related

MELODUS/Musiqim

ilk10.az

News aggregator