The application is vulnerable to an open redirect via the login form i.e. when the azure auth call is made. Open redirect vulnerabilities can be exploited to lure or force the target user away from the legitimate application domain to a domain under the attackers' control.
Like phishing attacks, once redirected to a malicious domain (which may or may not be masquerading as the legitimate domain), various attacks such as credential harvesting or malware exploits may be attempted on the unsuspecting user. By redirecting a user from the legitimate application, they may be more vulnerable to manipulation.
For this attack to succeed, the target user would need to follow a malicious link and then login to the Data Catalogue application. Since there is an element of social engineering required the issue is rated as a medium risk.
In the below example:
The 'next' parameter was found to be vulnerable to URL redirection on the login page of the target application. If a user follows a malicious link such as the one shown below, and then authenticates with valid credentials, they will be redirected to a separate domain without their knowledge, which could allow for phishing attacks on their credentials.
The response below shows a HTTP 302 redirect with the redirect domain embedded in the location header within the ‘State' parameter of SAML request as shown below.
Once the user authenticates to the Microsoft EntraID, they are redirected to the website (https://www.exploit-db.com)
Remediation
Do not allow the application to redirect to external untrusted hosts. Only redirect to domains that are validated against a whitelist of allowed domains.
The application is vulnerable to an open redirect via the login form i.e. when the azure auth call is made. Open redirect vulnerabilities can be exploited to lure or force the target user away from the legitimate application domain to a domain under the attackers' control.
Like phishing attacks, once redirected to a malicious domain (which may or may not be masquerading as the legitimate domain), various attacks such as credential harvesting or malware exploits may be attempted on the unsuspecting user. By redirecting a user from the legitimate application, they may be more vulnerable to manipulation.
For this attack to succeed, the target user would need to follow a malicious link and then login to the Data Catalogue application. Since there is an element of social engineering required the issue is rated as a medium risk. In the below example:
The
'next'
parameter was found to be vulnerable to URL redirection on the login page of the target application. If a user follows a malicious link such as the one shown below, and then authenticates with valid credentials, they will be redirected to a separate domain without their knowledge, which could allow for phishing attacks on their credentials.https://dev.find-moj-data.service.justice.gov.uk/azure_auth/login?next=https://www.exploit-db.com
The response below shows a HTTP 302 redirect with the redirect domain embedded in the location header within the ‘State' parameter of SAML request as shown below.
Once the user authenticates to the Microsoft EntraID, they are redirected to the website (https://www.exploit-db.com)
Remediation
Do not allow the application to redirect to external untrusted hosts. Only redirect to domains that are validated against a whitelist of allowed domains.
OWASP: Unvalidated Redirects and Forwards