jwood2
Feb 04, 2020Nimbostratus
HTTP -> HTTPS redirect described in K26312346 failed pentest scan
I recently had a pentest performed against a virtual server and the implementation I chose for HTTP to HTTPS redirection failed the audit. I had implemented the HTTP to HTTPS policy described in K26312346. The auditor argues that this implementation does not validate the input and can allow an attacker to perform an invalid redirection to a different site.
Friendly site:
www.somesite.com
Malicious site:
www.badsite.com
Policy:
Redirect to location tcl:https://[getfield [HTTP::host] : 1][HTTP::uri] at request time
Request:
GET .badsite.com HTTP/1.1
HOST: www.somesite.com
Response:
HTTP/1.0 302 Found
Location: https://www.somesite.com.badsite.com
Server: BigIP
Connection: Keep-Alive
Content-Length 0
How can I create a HTTP to HTTPS policy that is reuseable but does better validation of the host and prevents this sort of misdirection attack? Should I move back to IRules where I can easily do a comparison check against a static variable for the expected hostname?