TARGET URL parameter associated with samlValidate can be misused to redirect to malicious sites (?)

44 views
Skip to first unread message

Ganesh Prasad

unread,
Sep 27, 2018, 2:31:05 AM9/27/18
to CAS Community
Hi,

We recently commissioned a third-party security audit of our application, and one of the findings was this:

Cross-Site Redirection (Medium Impact, Moderate Difficulty in exploiting)

If one pastes this string into the browser https://cas.mydomain.com/cas/login?TARGET=https://yahoo.com

then, after authentication, the browser is redirected without complaint to yahoo.com.

The report said in detail:

"The application was found to take a URL as a parameter to determine where to direct the user. <Consultant> found that this URL can be any value allowing an attacker to insert a malicious URL that can be used to redirect to an external site before or after authentication.

A link to the login page, containing this URL could therefore be created, which can then be sent to a victim (e.g. as an email phishing attack). When the victim accesses this link, they are initially sent to the valid site. After authentication they can be redirected to a third party site without their knowledge.

This second site could be under the control of an attacker, and perform such actions as re-requesting their authentication details and performing a man-in-the-middle attack between the victim and the client's site, ultimately giving the attacker authenticated access to the application."


My questions are:
1. Is this a security hole in CAS as suggested by the security auditor?
2. Is there a workaround that we can implement?

Regards,
Ganesh

Bergner, Arnold

unread,
Sep 27, 2018, 3:49:28 AM9/27/18
to cas-...@apereo.org

Hi Ganesh,

 

when I submit “/login?TARGET=https://yahoo.com” to our cas v5.2, I get an “application not authorized” error, so no redirection is happening.

 

Maybe it’s a hole resulting from your service definitions?

 

Regards,

Arnold

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org.

Andy Ng

unread,
Sep 27, 2018, 5:15:40 AM9/27/18
to CAS Community, arnold....@hrz.tu-darmstadt.de
Hi Ganesh,

There is a default service that will secretly enable all https based service called "HTTPSandIMAPS-10000001.json"

Refer to this to how to disable such service:

See if this is your problem?

Cheers!
- Andy

David Curry

unread,
Sep 27, 2018, 8:55:18 AM9/27/18
to cas-...@apereo.org, arnold....@hrz.tu-darmstadt.de
I think Andy's right here... when I try this on my CAS server, which does not have the wildcard service registry entry, I get (correctly) redirected to the "Application not authorized to use SSO" page.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School



To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff33ffe0-cbc0-4b52-89f6-e2a4cf46b939%40apereo.org.

Ganesh Prasad

unread,
Sep 28, 2018, 2:10:33 AM9/28/18
to CAS Community, arnold....@hrz.tu-darmstadt.de
Hi Andy,

I think you're right. I can see the file WEB-INF/classes/services/HTTPSandIMAPS-10000001.json in my deployed directory.

I will follow the instructions you linked to, to disable this.

Thanks!

Ganesh 
Reply all
Reply to author
Forward
0 new messages