Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Page_uri => Vulnerability to open redirect attacks #619

Closed
philippfo9 opened this issue Jan 15, 2020 · 11 comments · Fixed by #651
Closed

Page_uri => Vulnerability to open redirect attacks #619

philippfo9 opened this issue Jan 15, 2020 · 11 comments · Fixed by #651
Labels

Comments

@philippfo9
Copy link

The attacker can provide a user with a link, which points to the trusted website. If the user opens the link, he will be immediately redirected to a website, which is controlled by the attacker.

This is due to the page_uri parameter that you can provide as state={"page_uri": "..."}
e.g.
http://localhost:3001/login/redirect#state={%22page_uri%22:%22https://www.google.com%22}

image

It would be good to restrict this parameter to only be able to point to approved domains. This could be achieved by a combination of whitelist filters as well as regular expressions.
It's not enough to simply check if it includes the domain e.g. https://www.example.com, because this can be circumvented by passing 'https://[email protected]/'

@MrSwitch
Copy link
Owner

Yes, that's correct it functions this way so in theory one could have authentication and navigation terminating on another domain. Not sure how useful that is but hey ho.

An attacker wont get anything from redirecting the user. Unless i'm missing something here.

@philippfo9
Copy link
Author

philippfo9 commented Jan 16, 2020

He could get the authority of the domain and make the user believe, he is on the right site. If the user does believe that, the user could possibly enter sensible data there.

Is it possible to contribute to it and add some config in order to be able to specify some host, that you validate against in this case or in which ways is this page_uri used?

@MrSwitch
Copy link
Owner

He could get the authority of the domain and make the user believe, he is on the right site. If the user does believe that, the user could possibly enter sensible data there.

If you have the ability to push links to users then this problem exists... that's pretty much any social site. I dont believe this should be solved here. HelloJS is acting as a redirect for malformed links but isn't exposing anything which could be abused.

@mithodin
Copy link

I'd like to comment that this is very much an issue, if an attacker is able to craft links that use my domain, so that it looks legit even to someone checking the link. We are not going to be able to use hello.js any longer if this is not going to be fixed.

@MrSwitch
Copy link
Owner

MrSwitch commented Sep 16, 2021

@mithodin if you dont mind putting a constant on your redirect.html page, before including hello.js

Something like ...

// Scope any redirect URL's to the current domain... this would prevent `page_uri` being used to redirect to another domain
var HELLOJS_REDIRECT_URL = window.location.origin;

// Disable any redirect
var HELLOJS_REDIRECT_URL = false;

Hellojs could then simply check !Object.prototype.hasOwnProperty.call(window, 'HELLOJS_REDIRECT_URL') || page_uri.match(window.HELLOJS_REDIRECT_URL), before allowing any redirect to occur.

Thoughts?

@mithodin
Copy link

@MrSwitch could the same be achieved by passing an option to hello.init()? That would somehow make more sense to me than using a global variable. Otherwise, yes I think that would be an acceptable option.

@MrSwitch
Copy link
Owner

@mithodin well if you look at the default implementation of the redirect.html page view-source:https://adodson.com/hello.js/redirect.html it never actually calls hello.init(). In hindsight it's a bad design, perhaps in a future version this will be addressed.

@mithodin
Copy link

I see. Well, if this is the only way to get the info in there, yes. Makes sense to do it this way. But I also agree that the design maybe isn't the best.

@MrSwitch
Copy link
Owner

Please approve the PR #651 if it addresses your immediate security concerns.

@mithodin
Copy link

Are you sure I can do that? I don't see the option of leaving a review on the PR

MrSwitch added a commit that referenced this issue Sep 19, 2021
fix(redirects): lock down redirect attempts, fixes #619
github-actions bot pushed a commit that referenced this issue Sep 19, 2021
## [1.19.5](v1.19.4...v1.19.5) (2021-09-19)

### Bug Fixes

* **redirects:** lock down redirect attempts, fixes [#619](#619) ([544e5ea](544e5ea))
@github-actions
Copy link

🎉 This issue has been resolved in version 1.19.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

Thom1996 pushed a commit to Thom1996/hello.js that referenced this issue Apr 28, 2022
## [1.19.5](MrSwitch/hello.js@v1.19.4...v1.19.5) (2021-09-19)

### Bug Fixes

* **redirects:** lock down redirect attempts, fixes [MrSwitch#619](MrSwitch#619) ([544e5ea](MrSwitch@544e5ea))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants