Forum Discussion
Albert_252822
Nimbostratus
NimbostratusOpen redirect mitigation
Hi all,
I'm new to F5 and probably this is a very basic question. I'd like to know your advice on mitigating an open redirect vulnerability, as could be http://www.vulnerable.com/redirect.asp?=http://www.evil.com
I want to allow the redirection but with an informational message which the user has to accept, like "You are going to be redirected...". What do you think is the best way to do it?
I guess it's possible to do it using irules (only LTM) but I'd also like to know the options using ASM.
Thanks in advance
Hi Albert,
You can do this by enabling the redirection protection Security > Application Security > Headers > Redirection Protection. ( assuming you have got 11.5.X) The below link will help to solve the problem !
Cheers,
Faruk_AYDINI think If you dont want to use iRule, APM can be used. Because It is more practical to display a warning or info message.
Vijith_182946Cirrostratus
Hi Albert,
You can do this by enabling the redirection protection Security > Application Security > Headers > Redirection Protection. ( assuming you have got 11.5.X) The below link will help to solve the problem !
Cheers,
Albert_252822Hi Vijith,
Thanks for your answer, that's very useful information. However, I only see the option to block the redirection and I'd like to allow the redirection to the non whitelisted domains/subdomains adding a message which the user have to accept before being redirected.
- Vijith_182946I suppose you need to utilise iRule in this case.
- Albert_252822Yes, I supposed it. Thanks!