Forum Discussion
locki
Nimbostratus
NimbostratusHow to secure url on irule on F5?
I need secure one think and i dont know how to do it correctly and properly.
We have this link on website for aplication: https://www.somewebsite.com/test/UI/Login?realm=external&goto=https://www.somewebsite.com/application/security_check&locale=en&service=client
After user authentication they are redirected to website in the link: https://www.somewebsite.com/application/security_check&locale=en&service=client
All works like should be... beut there is one small secure issue, when peoples in our organization get phishing attack email to change something in their account with different link in goto something like this and after login there is something for fill credit card numer it is problem...
How to prevent this on F5 to secure goto? Via some irule and explicit links, or just block @ in link?
- Daniel_Wolf
MVP
Hi locki,
seems your app is vulnerable to open redirects. Take a look at the following links to learn more:
- OWASP Cheat Sheet Series - Unvalidated Redirects and Forwards
- MITRE - CWE-601: URL Redirection to Untrusted Site
- PortSwigger - Open redirection
Can be fixed with ASM (BIG-IP v16.1): MyF5 > BIG-IP Application Security Manager: Implementations > Mitigating Open Redirects
IMHO it should be fixed in the app code by your developers.KR
Daniel - Paulius
locki I believe what you are looking for is dealing with URI::query which you can read up more at the following link.
https://clouddocs.f5.com/api/irules/URI__query.html
In addition I believe someone did something similar in the following link.
Is the F5 working as your perimeter device and does it have WAF enabled on it? I think this situation might be better dealt with by using WAF rather than relying on a manually created and updated iRule to protect the entirety of your user base.
lockiThere is ASM on the box, on perimeter is FW then F5, I also think there must be better solution then some irule...
- Paulius
locki I defer to Daniel_Wolf comment which is a great option that seems like it would work for you.
