Forum Discussion

OM's avatar
OM
Icon for Nimbostratus rankNimbostratus
Apr 26, 2024

Open Redirection Mitigation

hello,

ASM has a feature to mitigate the open redirection attacks when the redirect happens at the header level (i.e: with Location in response).

When the redirection is within the payload response, the ASM does not block it.

 

do you guys know about any ASM configuration that may address this issue and mitigate this kind of attack ?

 

thanks.

 

o.

  • Hi OM

     

    if this it the request: "https://website.com/redirect.jsp?url=https://google.com"
    Then url is a parameter and https://google.com is a parameter value. In ASM you can control which parameter values are allowed. Issue solved.

    Sample config:

    And the result:

     

    KR
    Daniel

     

  • OM's avatar
    OM
    Icon for Nimbostratus rankNimbostratus

    yes, the response is within the body... see below

    the request was something like : https://website.com/redirect.jsp?url=https://google.com

    I know that I can use iRules, but I was looking for something built-in in asm.

     

    any other hint ?

    thanks.

     

    <html>
        <script type="text/javascript">

            if(window.opener)
            {
                window.opener.top.location = 'https://google.com';
                window.close();
            }
            else
            {
                window.top.location = 'https://google.com';
            }
        </script>
    </html>  

    • Hi OM

       

      if this it the request: "https://website.com/redirect.jsp?url=https://google.com"
      Then url is a parameter and https://google.com is a parameter value. In ASM you can control which parameter values are allowed. Issue solved.

      Sample config:

      And the result:

       

      KR
      Daniel

       

      • OM's avatar
        OM
        Icon for Nimbostratus rankNimbostratus

        Thanks Daniel, that's what I did as a workaround.

        The problem with that approach is, we don't have the full picture of what the website has as redirects and I try hard to avoid false positives....

        I was hoping to have a built-in feature similar to open redirect in Location Header.

        Anyways, I will keep an eye on the other redirects and eventualy refresh the list of parameters if another false positive pops up.

         

        thanks.

  • There are so many ways to do this, I'm not sure it's feasible but you could try. This is a good question for LLM, it came up with this simple stuff about "non-header" ways a web developer might get a browser to "go somewhere else", which is sorta like a redirect.

     

    JS redirection:

    • window.location.href: This method sets the URL of the current page. When you use this method, the browser will load the new page immediately.
    • window.location.assign(): This method is similar to window.location.href, but it does not load the new page immediately. Instead, it adds the new page to the browser's history.
    • window.location.replace(): This method replaces the current page with the new page. This means that the user will not be able to go back to the previous page.

    Form action:

    • To use the form action method, you need to set the action attribute of the form to the URL of the new page. When the form is submitted, the browser will be redirected to the new page.

    Anchor tag:

    • To use the anchor tag method, you need to set the href attribute of the anchor tag to the URL of the new page. When the anchor tag is clicked, the browser will be redirected to the new page.

    Meta tags:

    • HTML meta refresh: To use the HTML meta refresh method, you need to add a meta tag to the head section of your HTML document. The meta tag should have the following attributes:
      • name: refresh
      • content: "seconds;url=new_page_url"

     

  • you can create rules to block "window.open(....)" in http response.

    make sure it is not intended functionality created by the developer.

  • Interesting. Did you already test this that if it isn't a HTTP redirect but could be HTML or javascript redirect from the payload, ASM doesn't block it?

    I'm not sure if custom ASM signature can be built around this that might be checked with your account representative from F5. But this can be definitely blocked with custom iRule to scan the payload and allow only whitelisted redirect URL values.