F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

jwood2's avatar
jwood2
Icon for Nimbostratus rankNimbostratus
Feb 03, 2020

HTTP -> HTTPS redirect described in K26312346 failed pentest scan

I recently had a pentest performed against a virtual server and the implementation I chose for HTTP to HTTPS redirection failed the audit. I had implemented the HTTP to HTTPS policy described in K26...
LTM
security
Dmitry's avatar
Dmitry
Icon for Altocumulus rankAltocumulus
Feb 04, 2020
The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site

Its so wiered. So the security guy said: if I write the wrong URL - i will go to the wrong site? Seriously?

Ask him - who does this affect? Simple question. It doesnt affect your site or your valid client. So its not a problem.

If this is something like official attestation and you have no choise you can try something like this:

when HTTP_REQUEST {
       if { [HTTP:uri]  starts_with "/" } {
             HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
       } else {
             HTTP::redirect https://[getfield [HTTP::host] ":" 1]/[HTTP::uri]
       }
}

But if I were you - I would say: you wrong, go away 😁