Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

HTTP Host Header Injection found at PORT : 80 vulnerability

lorenze
Altocumulus
Altocumulus

‎22-Aug-2023 11:57

Hello Everyone, 


We are running some security scans against our production environment, and one thing that came back is the result flagging HTTP Host Header Injection found at PORT : 80.

HTTP/1.0 302 Found
Location:htttps://********.com
Server: BigIP
Connection: close
Content-Length: 0

Has anyone tried dealing with this vulnerability? or is there any available resource I can go through to  implement a fix in  the F5 level?



Thanks,


Labels:
0 Kudos
5 REPLIES 5

Mohamed_Ahmed_Kansoh
MVP
MVP

‎22-Aug-2023 14:28 - edited ‎22-Aug-2023 14:32

Hi @lorenze , 

It's clear that you did your Vulnerability Scan through BIGIP. 

it seems to be backend server issue or miss configuration. 

I see this is a Mixed content issue which means >> some web developers add Mixed URLs returned from servers to client for redirections. 
I want to say that backend server itself may return a ( http://host.com/path1/path2 ) although you as a client expects (https) Communication, So this is a miss configs from server side. 

F5 bigip overcome this Mixed Content issue by using ( Redirection irule to redirect from http to https ) or using Stream profile >> but this not our Topic here. 

> try to do this Scan test directly with backend servers not through bigip and I think you will observe the same thing. 

> So you should solve it from Backend server itself. 

> If you need to overcome this by bigip follow this Article : https://my.f5.com/manage/s/article/K31100432
But you will be still vulnerable , so solve it from backend server code with the aids of ( Server developer or Vendor ) 

I hope you find my comment insightful,

_______________________
Regards
Mohamed Kansoh
0 Kudos

lorenze
Altocumulus
Altocumulus

‎22-Aug-2023 14:42

Thanks for the response @Mohamed_Ahmed_Kansoh.   Just for additional insights, as far as I understand the vulnerability which I could be wrong. 

The orignal http url (e.g http://example.com) can be changed into arbitrary url  (e.g https://asdfad.com) I was just wondering if thier is an easy way to prevent this from an F5 level being the servers are  load balanced. 

lorenze_0-1692740458262.png

We have an irule that redirect http traffic to https but this  is still being flag as vulnerable. 

Thanks, 



0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to lorenze

‎22-Aug-2023 15:57

Hi @lorenze , 

Yes it will be still vulnerable as I said , you can solve it from server side Code. 

Or try to use Stream profile another workaround and this should mark you are vulnerable in vulnerability scanner. 

use the irule and Stream profile Features in the following Article : 

https://my.f5.com/manage/s/article/K31100432

_______________________
Regards
Mohamed Kansoh
0 Kudos

answ161
Altostratus
Altostratus

‎23-Aug-2023 10:57 - edited ‎23-Aug-2023 11:01

Based on "Server: BigIP" of the response header, it appears that your F5 is responding with this 302 redirect.  Do you have some type of HTTP to HTTPS redirect (iRule or Policy) configured on your port 80 VIP?

If so, you could explore something like this iRule: https://community.f5.com/t5/technical-forum/host-header-injection-irule/td-p/295090.  The same can also be done with a policy.

0 Kudos

lorenze
Altocumulus
Altocumulus
In response to answ161

‎23-Aug-2023 11:04

Hi @answ161 ,

Thanks for the response, and to answer that, yes we do have a http to https redirect irule  in this particular VS. let  me give this a try and will provide update once I get it tested. Thanks!

0 Kudos
Copyright © 2023 Khoros, LLC