Forum Discussion

jwood2's avatar
jwood2
Icon for Nimbostratus rankNimbostratus
Feb 04, 2020

HTTP -> HTTPS redirect described in K26312346 failed pentest scan

I recently had a pentest performed against a virtual server and the implementation I chose for HTTP to HTTPS redirection failed the audit. I had implemented the HTTP to HTTPS policy described in K26312346. The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site.

Friendly site:

www.somesite.com

Malicious site: 

www.badsite.com

Policy:

Redirect to location tcl:https://[getfield [HTTP::host] : 1][HTTP::uri] at request time

Request:

GET .badsite.com HTTP/1.1
HOST: www.somesite.com

Response:

HTTP/1.0 302 Found
Location: https://www.somesite.com.badsite.com
Server: BigIP
Connection: Keep-Alive
Content-Length 0

How can I create a HTTP to HTTPS policy that is reuseable but does better validation of the host and prevents this sort of misdirection attack? Should I move back to IRules where I can easily do a comparison check against a static variable for the expected hostname?

LTM
security
  • Dmitry's avatar
    Dmitry
    Icon for Altocumulus rankAltocumulus
    Feb 04, 2020
    The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site

    Its so wiered. So the security guy said: if I write the wrong URL - i will go to the wrong site? Seriously?

    Ask him - who does this affect? Simple question. It doesnt affect your site or your valid client. So its not a problem.

    If this is something like official attestation and you have no choise you can try something like this:

    when HTTP_REQUEST {
       if { [HTTP:uri]  starts_with "/" } {
             HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
       } else {
             HTTP::redirect https://[getfield [HTTP::host] ":" 1]/[HTTP::uri]
       }
}

    But if I were you - I would say: you wrong, go away 😁

  • jwood2's avatar
    jwood2
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2020

    I agree that the finding is a bit weak but I'm still obligated to address it. What being said, I agree with you that the easiest way to fix this is probably with an iRule, but I was wondering specifically how I could implement this sanity check for '[HTTP::uri] starts_with "/"' in a policy. I think I found my answer, within the policy I have configured:

    Match all the following conditions:

    HTTP URI path begins with any of / at request time

    Do the following when traffic is matched:

    Redirect to location tcl:https://[getfield [HTTP::host] : 1][HTTP::uri] at request time
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 04, 2020

    I think I'm with the pentester on this and this is susceptible to MITM.

    I would mitigate this by using HTTPS Strict Transport Security. See HSTS. ​

    Hope this helps,

    N​