Forum Discussion

Nimbostratus

Apr 26, 2024

Open Redirection Mitigation

hello, ASM has a feature to mitigate the open redirection attacks when the redirect happens at the header level (i.e: with Location in response). When the redirection is within the payload response...

Daniel_Wolf
May 03, 2024
Hi OM,

if this it the request: "https://website.com/redirect.jsp?url=https://google.com"
Then url is a parameter and https://google.com is a parameter value. In ASM you can control which parameter values are allowed. Issue solved.

Sample config:

And the result:

KR
Daniel

spalande

Nacreous

Apr 30, 2024

Interesting. Did you already test this that if it isn't a HTTP redirect but could be HTML or javascript redirect from the payload, ASM doesn't block it?

I'm not sure if custom ASM signature can be built around this that might be checked with your account representative from F5. But this can be definitely blocked with custom iRule to scan the payload and allow only whitelisted redirect URL values.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Open Redirection Mitigation

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

AppWorld 2024 Call For Speakers open

Open redirect mitigation

Share Your Expertise at F5 AppWorld 2025! CFP is now open.

CitrixBleed Mitigation CVE-2023-4966

F5 Distributed Cloud L3-L7 DDoS Mitigation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS