Manual Chapter :
Mitigating Open Redirects
Applies To:
Show VersionsBIG-IP ASM
- 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Mitigating Open Redirects
Overview: Mitigating open redirects
Application Security Manager™ (ASM) can protect users from open redirects.
An
open redirect
is a vulnerability where the server tries to redirect the user to a
target domain that is not defined in the security policy. This vulnerability is one of the OWASP
top ten application security risks.Spammers use open redirects in phishing attacks to get users to visit malicious sites without
knowing it. Often, the request includes a parameter, which contains a URL that redirects a user
to an external web application without any validation. An example of this vulnerability is a
request such as:
https://www.good.com/redirect.php?url=http://www.evil.com
. This type of request may result in a response containing a Location header that points to a new
target. For example:
HTTP/1.1 200 OK Location: http://www.evil.com
You can configure redirection protection and the domains where users are permitted to be
redirected on a response header in an existing security policy. By default, redirection
protection is enabled in ASM with a pure wildcard configured as an allowed domain (effectively
providing no enforcement). You can adjust the settings so that the security policy allows
redirect to specific domains, and protects against unvalidated redirects.
This feature does not affect internal redirection, which is always allowed. For example, the
following example would be allowed even if redirection protection is enabled on the system.
Location: /<anotherpage>/<thisserver>/internal_redirect.php
Task Summary
Mitigating open redirects
You can configure an existing security policy in Application
Security Manager (ASM) to protect users from being redirected by unvalidated
redirects. By enabling redirection protection, you can help prevent users from being
redirected to questionable phishing or malware web sites.
- On the Main tab, click.The Redirection Protection screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Make sure that theRedirection Protectioncheck box is selected.
- In theAllowed Redirection Domainssetting, configure the domains where users can be redirected.
- In theDomain Namefield, type the name of the domain (in English-only, such asyahoo.com), or its IP address.If protection is enabled and no domains are configured, then only relative URIs are allowed (for example,/login.php).
- If you want users to be able to be redirected to sub-domains of the specified domain, selectInclude Sub-domains.If this check box is selected forf5.com, for example, then redirects towww.f5.com,mail.f5.com, andwebsupport.f5.comare also allowed. If it is not selected, redirection to sub-domains, such aswww.f5.com, is not allowed. You need to add all allowed domains and sub-domains explicitly in that case.
- ClickAdd.The system adds the domain to the security policy’s list of allowed redirection domains.
You can add up to 100 redirection domains. If you are using the Policy Builder for automatic policy building, you can leave the * wildcard configured toAdd All Entitiesin the policy. When the tightening period is over and the policy is stable, the system will have added the redirection domains occurring within the traffic that it saw (if any), and then the system deletes the wildcard. If not using the Policy Builder, consider removing the * wildcard. - In theAllowed Redirection Domainssetting, select the * wildcard and click theEnforcebutton to delete it.
- ClickSaveto save your settings.
If ASM receives a request that attempts to redirect the user to
a domain other than one that is listed in the redirection protection, the system issues
an
Illegal redirection attempt
violation, which is an attack type of
Open/Unvalidated Redirects. The violation is set to Learn, Alarm, and Block, by default.
If the policy is in transparent mode, responses are always forwarded to the client. If
the policy is in blocking mode, illegal redirection attempts are blocked.Adjusting how open
redirects are learned
You can adjust the explicit entities learning settings for
redirection domains. Explicit learning settings specify when the system adds, or
suggests you add, redirection domains to the security policy.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- In the Policy Building Settings area, expandRedirection Protection.
- For theLearn New Redirection Domainssetting, select the option for when to make Learning suggestions (based on real traffic).OptionDescriptionNever (wildcard only)Specifies that when false positives occur, the system suggests relaxing the settings of the wildcard. The system does not add domains to the list of allowed redirection domains, and does not remove the wildcard (regardless of theLearning Mode).AlwaysCreates a comprehensive whitelist policy that includes all observed domains to the list of allowed redirection domains. IfLearning Modeis set toAutomatic, it adds explicit domains to the security policy. When the security policy is stable, the * wildcard is removed. IfLearning Modeis set toManual, the system suggests adding explicit domains. This is the default value.
- If adding redirection domains, adjust the number inMaximum Learned Redirection Domainsif necessary.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
The security policy now learns new redirection domains according
to the Redirection Protection settings you specified.
Enforcing redirection domains
After you create a security policy
and traffic is sent to the web application, the system adds domains where users are
redirected. Redirection protection is enabled by default with a pure wildcard. You can
review the redirection domains that are ready to be enforced, and add them to the
security policy if they are valid places users should be going.
- On the Main tab, click.The Enforcement Readiness summary is on the bottom right.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- To enforce all entities that are ready to be enforced, clickEnforce Ready Entities.If you click this button, you are done. Continue only if you want to review learning suggestions for redirection domains.
- In the Enforcement Readiness Summary, check to see if a number appears in the Have Suggestions column next to redirection domains.A number greater than zero indicates that an Illegal Redirection Attempt occurred, and the system made a learning suggestion.
- Click the number in the Have Suggestions column.
- Select the domains to which you want the security policy to allow users to be redirected, and clickAccept.
- ClickLearning and Blocking Settings, expandRedirection Protection, and check to be sure that the Learn, Alarm, and Block settings for theIllegal Redirection Attemptviolation are selected.
The system adds selected redirection domains to the security policy and allows users
to be redirected to them. Attempts at redirection to other domains will be blocked when
the system is in blocking mode.
On the Policy Building Status (Automatic) screen, you can review the status of the
security policy, see the policy elements that were added including the redirection
domains, and view details about them.
Implementation results
When you configure redirection protection, Application Security Manager™
(ASM) protects users from being redirected to a web site that is not listed in the allowed
redirection domains. If the pure wildcard is listed as an allowed domain, ASM™ allows redirection to all domains. If you want to check whether users are redirected
by the application, you can leave the wildcard as an allowed domain and let the system learn the
redirect domains.
For the allowed domains, the system does not enforce protocol differences: HTTPS and HTTP are
treated the same.
ASM sets the explicit entities learning for redirection domains in the general policy building
settings. The security policy learns, by default, all domains (Add All Entities) where users are
redirected. If you are using automatic learning, the system adds to the security policy the
redirect domains that match the pure wildcard. When the security policy is stable, the system
removes the wildcard redirect domain from the security policy, and allows users to be redirected
only to the redirect domains that were added to the policy.
If you are building the security policy manually, the system learns and suggests that you add
the redirect domains that it detects. You can determine whether there are redirection domains
with learning suggestions by looking at the Enforcement Readiness Summary. After you add the
legitimate redirect domains to the security policy, you can consider removing the wildcard
redirect domain from the security policy. As a result, the policy on redirects becomes more
strictly enforced.