Monday, August 25, 2014

OpenAM - Issue with Unvalidated Redirects defined in OWASP A10

We received a ticket from one of our customers reporting an issue. They thought they found a vulnerability with OpenAM.

I found one vulnerability of SSO. It is about Unvalidated Redirects which is defined in OWASP A10. 
For example, when I tried to input the url in IE, I could successfully be redirected to my project URL.

It should validate the returned url and reject my request.

My reply below:

The observation is a valid one. It is the default product behavior.  
You can, however, enhance security by setting allowed Goto URL domains by going to:
/ (Top Level Realm) -> Authentication -> All Core Settings ... -> Security -> Valid goto URL domains 
By default OpenAM will redirect the user to the URL specified in the goto parameter supplied to the authentication interface. To enhance security a list of valid DNS domains can be specified. OpenAM will only redirect a user if the domain of the goto URL is present in this list.

At least there is a way to tighten security if customer chooses to.


No comments:

Post a Comment