Forum Discussion
Open redirect mitigation
Hi all,
I'm new to F5 and probably this is a very basic question. I'd like to know your advice on mitigating an open redirect vulnerability, as could be http://www.vulnerable.com/redirect.asp?=http://www.evil.com
I want to allow the redirection but with an informational message which the user has to accept, like "You are going to be redirected...". What do you think is the best way to do it?
I guess it's possible to do it using irules (only LTM) but I'd also like to know the options using ASM.
Thanks in advance
Hi Albert,
You can do this by enabling the redirection protection Security > Application Security > Headers > Redirection Protection. ( assuming you have got 11.5.X) The below link will help to solve the problem !
Cheers,
- Faruk_AYDINNimbostratusI think If you dont want to use iRule, APM can be used. Because It is more practical to display a warning or info message.
- Vijith_182946Cirrostratus
Hi Albert,
You can do this by enabling the redirection protection Security > Application Security > Headers > Redirection Protection. ( assuming you have got 11.5.X) The below link will help to solve the problem !
Cheers,
- Albert_252822Nimbostratus
Hi Vijith,
Thanks for your answer, that's very useful information. However, I only see the option to block the redirection and I'd like to allow the redirection to the non whitelisted domains/subdomains adding a message which the user have to accept before being redirected.
- Vijith_182946CirrostratusI suppose you need to utilise iRule in this case.
- Albert_252822NimbostratusYes, I supposed it. Thanks!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com