Host header vulnerability

that is how HTTP works, if you look at an HTTP request (with F12 in most browsers) you will see it sends an URI to an IP (which it resolved from the hostname) and a Host header. some other headers also, but those don't matter here.

so the only way* the device you send such a request to knows for which host it is is the Host header. and if you use that value for something it might turn out weird.

there is little you can do except if you know which hosts are used on your virtual server only allow those and drop all requests with different Host headers.

*) yes there is SNI, but that only works for HTTPS.

when you enter in the address bar the following URL :

https://foobar.com/mypath.php

the HTTP request is:

GET /mypath.php HTTP/1.1
Host: foobar.com
User-Agent: Mozilla .....
...

this is how HTTP works.

you can filter allowed host header values with this code:

when RULE_INIT {
    set static::allowed_hosts [list foobar.com www.foobar.com www.company.com]
}

when HTTP_REQUEST {
    if {[lsearch [string tolower [HTTP::host]] $static::allowed_hosts] != -1}
    HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}

Yup, as noted, this is not a vulnerability. I understand auditors must at all times provide as many vulnerability findings to justify their job but I've not yet met anyone provide me crap that does not relate to security at all. If one of your clients is a victim of a MITM attack, he is susceptible to worse things than HTTP Host rewrites. If there's a takeaway, consider another security audit firm, or ask for someone who knows his stuff a bit better.

The only vulnerability I see here is that "BigIP" is exposed as value of Server header. This qualifies as "low risk" security issue because attacker can use this information to look for existing exploits against BigIP software, or use the knowledge to his advantage in any other way.

Yup, as noted, this is not a vulnerability. I understand auditors must at all times provide as many vulnerability findings to justify their job but I've not yet met anyone provide me crap that does not relate to security at all. If one of your clients is a victim of a MITM attack, he is susceptible to worse things than HTTP Host rewrites. If there's a takeaway, consider another security audit firm, or ask for someone who knows his stuff a bit better.

The only vulnerability I see here is that "BigIP" is exposed as value of Server header. This qualifies as "low risk" security issue because attacker can use this information to look for existing exploits against BigIP software, or use the knowledge to his advantage in any other way.