Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

External redirects allowed

See original GitHub issue

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behaviour

Stratos should validate redirects passed as query parameters on login

Actual behaviour

Stratos redirects to any url upon login

Steps to reproduce the behavior

  1. log in to stratos
  2. go to https://`your stratos url/pp/v1/auth/sso_login?state=some url that is not stratos`


This is a security vulnerability. An attacker could use a specially-crafted url that looks trusted to a user. When the user clicks on the url, they could be taken to a nefarious site. This can also make phishing attempts more convincing by using trusted urls. More details on why this is bad available from OWASP

Possible Implementation

I think this is happening here:

I think the best implementation here is to have a whitelist of safe redirect hosts, or to not follow redirects from the url at all.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

richard-coxcommented, Jul 18, 2019

Hi @bengerman13 , thanks for raising this issue. This looks like something we should fix and will have a look in our next sprint (due to start next week).

mxplusbcommented, Aug 28, 2019

Works for me! Thanks.

Read more comments on GitHub >

github_iconTop Results From Across the Web

External redirected URLs - Sitebulb
External redirected URLs. This means that the URL in question is an external URL that redirects to another external URL.
Read more >
Reason: CORS request external redirect not allowed - HTTP
The CORS request was responded to by the server with an HTTP redirect to a URL on a different origin than the original...
Read more >
Manage Redirects to External URLs - Salesforce Help
Under External Redirections, in the Allow redirections to untrusted external URLs field, specify the desired behavior when a user clicks an untrusted external ......
Read more >
Internal vs External URL redirection - CodeGuage
In external redirection the browser and user all know that one URL was redirected to another. In technical terms, unlike internal redirection, ...
Read more >
External Redirect - OWASP ZAP
' Use an allow list of approved URLs or domains to be used for redirection. Use an intermediate disclaimer page that provides the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found