Q&A: What is an "Illegal Redirection Attempt" WAF Policy violation?

Question

• What does Illegal redirection attempt mean in the Support-ID/s?
• Why do I have to explicitly allow redirections to domains in the WAF policy?
• How can Silverline WAF protect against Open redirect attacks?

Environment

• Silverline WAF
• BIG-IP ASM
• WAF Policy/Policies

Answer

• An attacker can redirect users on web applications to external malicious domains/sub-domains. This can lead to unsuspecting users giving away their personal information.
• To prevent such actions, the WAF policy checks redirections by enforcing the allowed domains/sub-domains that have been defined in the policy and only redirects to these addresses.

What to Do

When you see the "Illegal redirection attempt" violation, review the domains. If you wish to add these domains to the allowed domains:

• For existing WAF Policies:
  • open a ticket with the SOC-- include which domains to allow for redirection, and which WAF Policy/s to add domains to
  • This module usually is reviewed and tuned in Blocking phase 3 (WAF Setup: Blocking Phases)
• For new WAF Policies: submit "safe domains" through WAF Technical Questionnaire (question #15 in version 6 of questionnaire)

Related Content

• https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
• https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/15.html
• WAF Setup: Blocking Phases