search

ministryofjustice / find-moj-data

Find MOJ data service • This repository is defined and managed in Terraform
MIT License
5 stars 0 forks source link

Appsec action 6.1: open redirect (medium) #742

Open jemnery opened 2 weeks ago

jemnery commented 2 weeks ago

The application is vulnerable to an open redirect via the login form i.e. when the azure auth call is made. Open redirect vulnerabilities can be exploited to lure or force the target user away from the legitimate application domain to a domain under the attackers' control.

Like phishing attacks, once redirected to a malicious domain (which may or may not be masquerading as the legitimate domain), various attacks such as credential harvesting or malware exploits may be attempted on the unsuspecting user. By redirecting a user from the legitimate application, they may be more vulnerable to manipulation.

For this attack to succeed, the target user would need to follow a malicious link and then login to the Data Catalogue application. Since there is an element of social engineering required the issue is rated as a medium risk. In the below example:

The 'next' parameter was found to be vulnerable to URL redirection on the login page of the target application. If a user follows a malicious link such as the one shown below, and then authenticates with valid credentials, they will be redirected to a separate domain without their knowledge, which could allow for phishing attacks on their credentials.

https://dev.find-moj-data.service.justice.gov.uk/azure_auth/login?next=https://www.exploit-db.com

The response below shows a HTTP 302 redirect with the redirect domain embedded in the location header within the ‘State' parameter of SAML request as shown below.

HTTP/1.1 302 Found
Date: Mon, 02 Sep 2024 13:41:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Location: https://login.microsoftonline.com/c6874728-71e6-41fe-a9e1-2e8c36776ad8/oauth2/v2.0/authorize?client_id=2807d01c-cadd-4eb2-983d-f787842f16de&response_type=code&redirect_uri=https://dev.find-moj-data.service.justice.gov.uk/azure_auth/callback&scope=User.Read offline_access openid profile&state={"next": "https://www.exploit-db.com"}&code_challenge=xksHXF1ndLNfCvTBxPwjRgjTfUPCj4Nl5p_j9yuf4qg&code_challenge_method=S256&nonce=0315b95b2c83827726b8bdfd25b649116a8c6adbfb6402cca57118c7b8b5f6df&client_info=1
X-Frame-Options: DENY
Vary: Cookie
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Set-Cookie: sessionid=2kc9v2vvn4cvd4nw2srefpyfbp9qlp25; expires=Mon, 16 Sep 2024 13:41:00 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Strict-Transport-Security: max-age=15724800; includeSubDomains

Once the user authenticates to the Microsoft EntraID, they are redirected to the website (https://www.exploit-db.com)

Image

Remediation

Do not allow the application to redirect to external untrusted hosts. Only redirect to domains that are validated against a whitelist of allowed domains.

OWASP: Unvalidated Redirects and Forwards

mitchdawson1982 commented 1 week ago

Updated library version has been deployed.