Forum Discussion
Open Redirection Mitigation
- May 03, 2024
Hi OM,
if this it the request: "https://website.com/redirect.jsp?url=https://google.com"
Then url is a parameter and https://google.com is a parameter value. In ASM you can control which parameter values are allowed. Issue solved.Sample config:
And the result:
KR
Daniel
Interesting. Did you already test this that if it isn't a HTTP redirect but could be HTML or javascript redirect from the payload, ASM doesn't block it?
I'm not sure if custom ASM signature can be built around this that might be checked with your account representative from F5. But this can be definitely blocked with custom iRule to scan the payload and allow only whitelisted redirect URL values.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com