Monday, August 25, 2014

OpenAM - Issue with Unvalidated Redirects defined in OWASP A10

We received a ticket from one of our customers reporting an issue. They thought they found a vulnerability with OpenAM.


I found one vulnerability of SSO. It is about Unvalidated Redirects which is defined in OWASP A10. 
For example, when I tried to input the url in IE, I could successfully be redirected to my project URL. https://am.abc.sg/sso/UI/Login?goto=https://192.168.1.2:430/abc/Index

It should validate the returned url and reject my request.



My reply below:

The observation is a valid one. It is the default product behavior.  
You can, however, enhance security by setting allowed Goto URL domains by going to:
/ (Top Level Realm) -> Authentication -> All Core Settings ... -> Security -> Valid goto URL domains  
By default OpenAM will redirect the user to the URL specified in the goto parameter supplied to the authentication interface. To enhance security a list of valid DNS domains can be specified. OpenAM will only redirect a user if the domain of the goto URL is present in this list.

At least there is a way to tighten security if customer chooses to.


.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)