Forum Discussion

OM's avatar
OM
Icon for Nimbostratus rankNimbostratus
Apr 26, 2024
Solved

Open Redirection Mitigation

hello, ASM has a feature to mitigate the open redirection attacks when the redirect happens at the header level (i.e: with Location in response). When the redirection is within the payload response...
ASM WAF
open redirect
payload
response
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    May 03, 2024

    Hi OM

     

    if this it the request: "https://website.com/redirect.jsp?url=https://google.com"
    Then url is a parameter and https://google.com is a parameter value. In ASM you can control which parameter values are allowed. Issue solved.

    Sample config:

    And the result:

     

    KR
    Daniel

     

OM's avatar
OM
Icon for Nimbostratus rankNimbostratus
May 03, 2024

yes, the response is within the body... see below

the request was something like : https://website.com/redirect.jsp?url=https://google.com

I know that I can use iRules, but I was looking for something built-in in asm.

 

any other hint ?

thanks.

 

<html>
    <script type="text/javascript">

        if(window.opener)
        {
            window.opener.top.location = 'https://google.com';
            window.close();
        }
        else
        {
            window.top.location = 'https://google.com';
        }
    </script>
</html>  

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    May 03, 2024

    Hi OM

     

    if this it the request: "https://website.com/redirect.jsp?url=https://google.com"
    Then url is a parameter and https://google.com is a parameter value. In ASM you can control which parameter values are allowed. Issue solved.

    Sample config:

    And the result:

     

    KR
    Daniel

     

    • OM's avatar
      OM
      Icon for Nimbostratus rankNimbostratus
      May 03, 2024

      Thanks Daniel, that's what I did as a workaround.

      The problem with that approach is, we don't have the full picture of what the website has as redirects and I try hard to avoid false positives....

      I was hoping to have a built-in feature similar to open redirect in Location Header.

      Anyways, I will keep an eye on the other redirects and eventualy refresh the list of parameters if another false positive pops up.

       

      thanks.