Forum Discussion
KellyS_50017
Nimbostratus
Nimbostratushttp_to_https http profile rule question
Hopefully a super-easy question about the built-in http class profile rule, http_to_https. A client of ours is saying HP's WebInspect is dinging us with a security flaw when it tries to get into areas...
KellyS_50017Nimbostratus
NimbostratusNope, the original location header value was /anon/anon.aspx.
Thanks for catching the redirect thing - truth is stranger than fiction and I totally missed our other redirect. There's actually two redirects going on - the F5's redirect all http to https. Second, I'll redo the block to show the pages better. I named the url they are going to Anon01, and the url our code redirects them to as Anon02.
Attack Request: GET /Anon01/Anon01.aspx HTTP/1.1
Attack Response: HTTP/1.1 302 Found
Location: /Anon02/Anon02.aspx
Set-Cookie: BIGipServeranon.com_https=180882442.47873.0000; path=/
Object moved
Object moved to .
File Names: https://anon.com:443/Anon01/Anon01.aspx
----
What's VIP stand for, sorry? Virtual IP? What I was calling a listener?
In the end, what am I looking at? WebInspect seems to be confusing an initial http request with a 302 response (the 2nd 302 response, from our web site) with cookie data to be "insecure". I would challenge this I guess, that the product isn't smart enough to understand what it's getting into.
The gist is that they aren't doing traffic with our web servers non-ssl, I think that's safe to assume. The only VIP that connects to our web tier is SSL-only. Is there any reason, from the bit of response WebInspect is showing, to think we're not responding over SSL? The F5 redirect (to SSL) is over http, I get that. How else would you redirect from http to https? (not a real question).
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}