You are here
Authentication services providing open redirect services
Last update on 9. January 2014 - 14:38.
Many authentication services like the one provided by Airlock redirect the client after successful authentication to the page the user initially requested. To do this Airlock stores the initially requested URI in an URL parameter with the name Location. To prevent phishing attacks, this parameter should be validated by the WAF or authentication service before it is used to create an HTTP redirect for the client.
Compass Security AG published a security advisory about this kind of vulnerability in authentication services [1]. The advisory further points out that it is not enough to check whether the parameter value starts with a slash to guarantee that the redirect does not point to a resource on a foreign domain. The reason for this is because according RFC 1808 (section 2.4.3) absolute URLs can be defined in the format //<domain>/path which is therefore similar to the URL http(s)://<domain>/path.
Any URL parameter based redirect service provided by a back-end can be restricted with Airlock by defining an allow rule for the affected parameter. By using the Airlock Authentication Service the Location parameter can further be restricted with the following global configuration setting (see section 4 Configuration in the Authentication Service manual [2]). The pattern example can be used to restrict the domain names the authentication service is allowed to generate redirects for.
#===============================
# redirect url pattern
#-------------------------------
global.allowedRedirectURLPattern=^https\:\/\/(.+\.)<your domain>($|\/.*)