HTTP Host Header Injection found at PORT : 80 vulnerability

Hi lorenze , 

It's clear that you did your Vulnerability Scan through BIGIP. 

it seems to be backend server issue or miss configuration. 

I see this is a Mixed content issue which means >> some web developers add Mixed URLs returned from servers to client for redirections. 
I want to say that backend server itself may return a ( http://host.com/path1/path2 ) although you as a client expects (https) Communication, So this is a miss configs from server side. 

F5 bigip overcome this Mixed Content issue by using ( Redirection irule to redirect from http to https ) or using Stream profile >> but this not our Topic here. 

> try to do this Scan test directly with backend servers not through bigip and I think you will observe the same thing. 

> So you should solve it from Backend server itself. 

> If you need to overcome this by bigip follow this Article : https://my.f5.com/manage/s/article/K31100432
But you will be still vulnerable , so solve it from backend server code with the aids of ( Server developer or Vendor ) 

I hope you find my comment insightful,

Thanks for the response Mohamed_Ahmed_Kansoh.   Just for additional insights, as far as I understand the vulnerability which I could be wrong. 

The orignal http url (e.g http://example.com) can be changed into arbitrary url  (e.g https://asdfad.com) I was just wondering if thier is an easy way to prevent this from an F5 level being the servers are  load balanced. 

We have an irule that redirect http traffic to https but this  is still being flag as vulnerable. 

Thanks, 

Based on "Server: BigIP" of the response header, it appears that your F5 is responding with this 302 redirect.  Do you have some type of HTTP to HTTPS redirect (iRule or Policy) configured on your port 80 VIP?

If so, you could explore something like this iRule: https://community.f5.com/t5/technical-forum/host-header-injection-irule/td-p/295090.  The same can also be done with a policy.