OWASP Top 10 web app vuln # 10

210 views
Skip to first unread message

Eric Enns

unread,
Aug 25, 2011, 11:59:52 AM8/25/11
to web...@googlegroups.com

Hey,

 

I know this has been discussed before, but this issued is now in the OWASP top ten web application vulnerabilities https://www.owasp.org/index.php/Top_10_2010-A10 . The vulnerability is the feature ?_next=<SITE>. One way this good be exploited according to the vulnerability is a attacker gives out a link to the login page of your site a uniformed user attempts to login which on success gets redirected to the phishing site. On said site the attacker makes it look the same and shows the form error invalid credentials the user attempts to login again and gets redirected to the valid site. Now the attacker has the users credentials and a way into the site. A suggested solution is on default to only allow _next to redirect to a site within the application and have a config file or variable which contains a whitelist of sites that are allowed to be redirected to.

 

-Eric


This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc.
Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc. at in...@seccuris.com or at 1-866-644-8442.


Massimo Di Pierro

unread,
Aug 25, 2011, 2:12:37 PM8/25/11
to web2py-users
We do not allow redirection outside the app, unless there is a bug.
Did you check this?

On Aug 25, 10:59 am, Eric Enns <ee...@seccuris.com> wrote:
> Hey,
>
> I know this has been discussed before, but this issued is now in the OWASP top ten web application vulnerabilitieshttps://www.owasp.org/index.php/Top_10_2010-A10. The vulnerability is the feature ?_next=<SITE>. One way this good be exploited according to the vulnerability is a attacker gives out a link to the login page of your site a uniformed user attempts to login which on success gets redirected to the phishing site. On said site the attacker makes it look the same and shows the form error invalid credentials the user attempts to login again and gets redirected to the valid site. Now the attacker has the users credentials and a way into the site. A suggested solution is on default to only allow _next to redirect to a site within the application and have a config file or variable which contains a whitelist of sites that are allowed to be redirected to.
>
> -Eric
>
> This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc.
> Please seehttp://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy.
> If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442.

Anthony

unread,
Aug 25, 2011, 2:35:44 PM8/25/11
to web...@googlegroups.com
On Thursday, August 25, 2011 2:12:37 PM UTC-4, Massimo Di Pierro wrote:
We do not allow redirection outside the app, unless there is a bug.

Yes, looks like we do. In Auth.login():

        if next == DEFAULT:
            next = request.get_vars._next \
                or request.post_vars._next \
                or self.settings.login_next
        [snip]
        redirect(next)

So, the login action will redirect to whatever URL is in the _next variable of the query string. Just tried it and was able to redirect to an external URL.

Anthony

Massimo Di Pierro

unread,
Aug 25, 2011, 2:52:27 PM8/25/11
to web2py-users
OK. I need to check when and why this got broken. This will be fixed
by the next stable version. Please open a ticket so it is tracked.

ee...@seccuris.com

unread,
Aug 25, 2011, 3:04:44 PM8/25/11
to web...@googlegroups.com
OK. Issue created as requested

Massimo Di Pierro

unread,
Aug 25, 2011, 6:57:22 PM8/25/11
to web2py-users
Please check trunk.

Anthony

unread,
Aug 25, 2011, 7:29:23 PM8/25/11
to web...@googlegroups.com
Syntax error:

or request.post_vars._next:
Drop the colon at the end of that line. Actually, it's now short enough to get it all on one line:

next = request.get_vars._next or request.post_vars._next

Also, why isn't it just:

next = request.vars._next


Anthony

On Thursday, August 25, 2011 6:57:22 PM UTC-4, Massimo Di Pierro wrote:
Please check trunk.

Massimo Di Pierro

unread,
Aug 25, 2011, 11:45:59 PM8/25/11
to web2py-users
Because there have been situations when there was a _next both in post
and get thus creating a list.

On Aug 25, 6:29 pm, Anthony <abasta...@gmail.com> wrote:
> Syntax error:
>
> *or request.post_vars._next**:*

Anthony

unread,
Aug 26, 2011, 12:49:53 AM8/26/11
to web...@googlegroups.com
Got it.


On Thursday, August 25, 2011 11:45:59 PM UTC-4, Massimo Di Pierro wrote:
Because there have been situations when there was a _next both in post
and get thus creating a list.

ee...@seccuris.com

unread,
Aug 26, 2011, 9:50:57 AM8/26/11
to web...@googlegroups.com
Looked in trunk and issue has been resolved. Thanks.

-Eric

Mandar Vaze

unread,
Oct 13, 2014, 11:53:23 AM10/13/14
to web...@googlegroups.com
This seems to be fixed ONLY for login
But issue exists for all other redirections
(Am using 2.9.5-stable+timestamp.2014.03.16.02.35.39)

e.g. 127.0.0.1:8000/user/profile?_next=http://www.google.com
Or
http://127.0.0.1:8000/user/logout?_next=http://www.google.com

Is there some setting/code that we need to include in "our" application code ?

-Mandar

Mandar Vaze

unread,
Oct 13, 2014, 1:21:52 PM10/13/14
to web...@googlegroups.com
I verified the code in gluon/tools.py - the "issue" exists for most of the method in Auth() - which take "next" as one of the parameters (change_password, retrive_password, reset_password, register, .... probably few more)
The "special" check applied in login() is not present in rest of these methods.

-Mandar
Reply all
Reply to author
Forward
0 new messages