Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Not validating source of callback

See original GitHub issue

There currently is an exploit that uses the fact that surprisingly many applications are not validating the source of the identity. It’s pretty easy to fake a request to the url /auth/steam/return in the example you have provided. I’m not claiming this is an issue in passport.js or in passport-steam package. It how ever has been a problem for multiple sites not implementing it properly and I know bug bounties have been payed in the range of tens of thousands of dollars.

As a fix I would suggest you at least update the example to contain a way to verify the source of the provided identity. Better way might be preventing fetching the identity from other servers than steam, since this passport.js strategy is specific to steam.

Not currently using passport.js for anything and am not in any way an expert, so I can’t tell you how to do it. I tested one example I was provided and I was able to “fix” the exploit by checking that identifier in function(identifier, profile, done) { has http://steamcommunity.com or https://steamcommunity.com instead of something else. I don’t know if identity can be faked or not, but it did at least block the malicious url I was given as an example. How ever, as I said, I don’t really know the inner workings of passport.js or openid so I can’t say if this is enough to detect malicious user.

Issue Analytics

State:
Created 7 years ago
Comments:68 (8 by maintainers)

Top GitHub Comments

10reactions

scholtzmcommented, Jun 14, 2016

@mnzt Since OpenID spec allows this (“supply any OpenID provider”), I don’t think this will be changed in packages such as node-openid.

However, I think the fix has already been suggested - just validate the request itself.

A quick fix for anyone running this package right now would be to set options.passReqToCallback and then just validate op_endpoint, e.g.:

// taken from the example
passport.use(new SteamStrategy({
    returnURL: 'http://localhost:3000/auth/steam/return',
    realm: 'http://localhost:3000/',
    apiKey: 'key',
    passReqToCallback: true
  },
  function(req, identifier, profile, done) {
    if(req.query['openid.op_endpoint'] !== 'https://steamcommunity.com/openid/login' ||
       !/^http:\/\/steamcommunity\.com\/openid\/id\/\d+$/.test(identifier)) {
      return done(null, false, { message: 'Claimed identity is invalid.' });
    }

    return done(null, profile);
  }
));

This can be done inside passport-steam as well.

1reaction

welpscommented, Jun 25, 2016

Fixed in #41 by @scholtzm

Thanks everyone!

Top Results From Across the Web

Why is this JQuery Validation with callback not working?

It seems you are assigning the compareRxDates() to the required property, which should be a boolean - true or false, telling the plugin...

Validate no longer take a callback · Issue #97 · hapijs/joi

Hi,. I just notice that there is no more callback when validating an object but in the documentation we've got this : Joi.validate(obj,...

Callback not working properly if I dont have debugger in my ...

Then a callback function is provided.the relationships are added or removed successfully but the problem is that the callback works fine if I...

callback validator - FormValidation

The best validation library for JavaScript. No dependency. Supports popular frameworks including Bootstrap, Zurb Foundation, Pure, Semantic, UIKit, Bulma, ...

Validation - Laravel - The PHP Framework For Web Artisans

In this example, if the unique rule on the title attribute fails, the max rule will not be checked. Rules will be validated...