I need secure one think and i dont know how to do it correctly and properly.
We have this link on website for aplication: https://www.somewebsite.com/test/UI/Login?realm=external&goto=https://www.somewebsite.com/applicatio...
After user authentication they are redirected to website in the link: https://www.somewebsite.com/application/security_check&locale=en&service=client
All works like should be... beut there is one small secure issue, when peoples in our organization get phishing attack email to change something in their account with different link in goto something like this and after login there is something for fill credit card numer it is problem...
How to prevent this on F5 to secure goto? Via some irule and explicit links, or just block @ in link?
@locki I believe what you are looking for is dealing with URI::query which you can read up more at the following link.
In addition I believe someone did something similar in the following link.
Is the F5 working as your perimeter device and does it have WAF enabled on it? I think this situation might be better dealt with by using WAF rather than relying on a manually created and updated iRule to protect the entirety of your user base.
seems your app is vulnerable to open redirects. Take a look at the following links to learn more:
Can be fixed with ASM (BIG-IP v16.1): MyF5 > BIG-IP Application Security Manager: Implementations > Mitigating Open Redirects
IMHO it should be fixed in the app code by your developers.