For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KellyS_50017's avatar
KellyS_50017
Icon for Nimbostratus rankNimbostratus
Nov 11, 2009

http_to_https http profile rule question

Hopefully a super-easy question about the built-in http class profile rule, http_to_https. A client of ours is saying HP's WebInspect is dinging us with a security flaw when it tries to get into areas...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 11, 2009

What's VIP stand for, sorry? Virtual IP? What I was calling a listener?

 

 

 

Yeah, it's a bad shorthand for virtual server (IP and port). I guess it should be VS as VIP should mean virtual IP address.

 

 

I'm still not sure exactly what issue WebInspect is reporting. WI makes a request to an HTTPS VIP and receives a local reference redirect Location to /Anon02/Anon02.aspx. That's coming from the web app, not LTM. And even though RFC2616 states Location header URLs must be absolute (containing a full URL including the protocol), every major browser I've ever tested with will make a new GET request to the same host over the same protocol. So the client should make a request to https://anon.com:443/Anon02/Anon02.aspx. No cookies have been sent over HTTP in the two requests.

 

 

WebInspect seems to be confusing an initial http request with a 302 response (the 2nd 302 response, from our web site) with cookie data to be "insecure".

 

 

 

In past testing with WI, I haven't seen that problem, so I'm still not clear what the issue is. Can you post the full (anonymized) details from WI for this?

 

 

Aaron