For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jwood2's avatar
jwood2
Icon for Nimbostratus rankNimbostratus
Feb 04, 2020

HTTP -> HTTPS redirect described in K26312346 failed pentest scan

I recently had a pentest performed against a virtual server and the implementation I chose for HTTP to HTTPS redirection failed the audit. I had implemented the HTTP to HTTPS policy described in K26...
LTM
security
Dmitry's avatar
Dmitry
Icon for Altocumulus rankAltocumulus
Feb 04, 2020
The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site

Its so wiered. So the security guy said: if I write the wrong URL - i will go to the wrong site? Seriously?

Ask him - who does this affect? Simple question. It doesnt affect your site or your valid client. So its not a problem.

If this is something like official attestation and you have no choise you can try something like this:

when HTTP_REQUEST {
       if { [HTTP:uri]  starts_with "/" } {
             HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
       } else {
             HTTP::redirect https://[getfield [HTTP::host] ":" 1]/[HTTP::uri]
       }
}

But if I were you - I would say: you wrong, go away 😁