cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

HTTP -> HTTPS redirect described in K26312346 failed pentest scan

jwood2
Nimbostratus
Nimbostratus

I recently had a pentest performed against a virtual server and the implementation I chose for HTTP to HTTPS redirection failed the audit. I had implemented the HTTP to HTTPS policy described in K26312346. The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site.

 

Friendly site:

www.somesite.com

 

Malicious site:

www.badsite.com

 

Policy:

Redirect to location tcl:https://[getfield [HTTP::host] : 1][HTTP::uri] at request time

 

Request:

GET .badsite.com HTTP/1.1 HOST: www.somesite.com

 

Response:

HTTP/1.0 302 Found Location: https://www.somesite.com.badsite.com Server: BigIP Connection: Keep-Alive Content-Length 0

 

How can I create a HTTP to HTTPS policy that is reuseable but does better validation of the host and prevents this sort of misdirection attack? Should I move back to IRules where I can easily do a comparison check against a static variable for the expected hostname?

3 REPLIES 3

Dmitry
Altocumulus
Altocumulus
The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site

Its so wiered. So the security guy said: if I write the wrong URL - i will go to the wrong site? Seriously?

Ask him - who does this affect? Simple question. It doesnt affect your site or your valid client. So its not a problem.

If this is something like official attestation and you have no choise you can try something like this:

when HTTP_REQUEST { if { [HTTP:uri] starts_with "/" } { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } else { HTTP::redirect https://[getfield [HTTP::host] ":" 1]/[HTTP::uri] } }

But if I were you - I would say: you wrong, go away 😁

jwood2
Nimbostratus
Nimbostratus

I agree that the finding is a bit weak but I'm still obligated to address it. What being said, I agree with you that the easiest way to fix this is probably with an iRule, but I was wondering specifically how I could implement this sanity check for '[HTTP::uri] starts_with "/"' in a policy. I think I found my answer, within the policy I have configured:

 

Match all the following conditions:

HTTP URI path begins with any of / at request time

Do the following when traffic is matched:

Redirect to location tcl:https://[getfield [HTTP::host] : 1][HTTP::uri] at request time

 

 

 

nathe
Cirrocumulus
Cirrocumulus

I think I'm with the pentester on this and this is susceptible to MITM.

I would mitigate this by using HTTPS Strict Transport Security. See HSTS. ​

Hope this helps,

N​