External redirects allowed
See original GitHub issueFrontend Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- npm run start
- Other (please specify below)
Backend (Jet Stream) Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- Other (please specify below)
Expected behaviour
Stratos should validate redirects passed as query parameters on login
Actual behaviour
Stratos redirects to any url upon login
Steps to reproduce the behavior
- log in to stratos
- go to https://`your stratos url
/pp/v1/auth/sso_login?state=
some url that is not stratos`
Context
This is a security vulnerability. An attacker could use a specially-crafted url that looks trusted to a user. When the user clicks on the url, they could be taken to a nefarious site. This can also make phishing attempts more convincing by using trusted urls. More details on why this is bad available from OWASP
Possible Implementation
I think this is happening here: https://github.com/cloudfoundry-incubator/stratos/blob/v2-master/src/jetstream/auth.go#L196
I think the best implementation here is to have a whitelist of safe redirect hosts, or to not follow redirects from the url at all.
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
External redirected URLs - Sitebulb
External redirected URLs. This means that the URL in question is an external URL that redirects to another external URL.
Read more >Reason: CORS request external redirect not allowed - HTTP
The CORS request was responded to by the server with an HTTP redirect to a URL on a different origin than the original...
Read more >Manage Redirects to External URLs - Salesforce Help
Under External Redirections, in the Allow redirections to untrusted external URLs field, specify the desired behavior when a user clicks an untrusted external ......
Read more >Internal vs External URL redirection - CodeGuage
In external redirection the browser and user all know that one URL was redirected to another. In technical terms, unlike internal redirection, ...
Read more >External Redirect - OWASP ZAP
' Use an allow list of approved URLs or domains to be used for redirection. Use an intermediate disclaimer page that provides the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hi @bengerman13 , thanks for raising this issue. This looks like something we should fix and will have a look in our next sprint (due to start next week).
Works for me! Thanks.