This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Prevent redirection from URL injection in the Developer Portal

Posted on 01-30-2024 10:50 AM
vernon08
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Everyone,

We have a concern about security vulnerability on our developer portal. It is related to URL injection that allows user to redirect to other sites.

Below is the example URL injection:

https://<hostname>/files/..%5C..%5C..%5CPOC%20HTTP/1.1%0aHost%3A%20example.com%0A%0A

We tried to add the below in the Content Security Policy(CSP) ( Publish -> Portals -> Security -> ); but it is not preventing the redirection. Could you please let us know what is missing? Is there any way to prevent such injection attacks?

- default-src 'unsafe-eval' 'unsafe-inline' * data:
- default-src 'self' 'unsafe-url' 'unsafe-eval' 'unsafe-inline' * data:
- default-src 'self' 'unsafe-url' 'unsafe-eval' 'unsafe-inline' * data: referrer no-referrer

Regards,
Vernon

0 5 259
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
Northside17
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Don't have a solution but I am also interested to know if there is a known solution to prevent redirect via URL injection. I tested out the example provided by 'vernon08' in our own integrated developer portal and the redirect behaviour occurred just as was described.

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

vernon08, can you explain specifically where you're providing that URL as input? 

Here is my understanding of URL injection: a malicious person must provide input to the website, and in that specially-crafted input, there's a URL that is camouflaged or obscured, and the website is induced to ... de-reference that URL and retrieve something, which then.... leads to a problem.   

I am not understanding where the vulneraiblity is...  In which data field, on which devportal page, would  a malicious user provide that URL, to lead to the URL injection?  

Posted on --/--/---- --:-- AM
byz
Staff
Reply posted on --/--/---- --:-- AM

I'm understanding the vulnerability as that a malicious actor may construct a URL with a 'trusted' hostname (e.g. for a published portal) that is allowed to redirect the user to a different (malicious) URL with a different host. 

Thank you for reporting - the issue has already been acknowledged and a fix is being released.

Posted on --/--/---- --:-- AM
matt-google
Staff
Reply posted on --/--/---- --:-- AM

This issue was recently reported to us through another channel, and a fix is slated to be rolled out in approximately a week. We don't have a public bug tracker but I will update this thread when the fix has been released.

 

Update 3/26/24 - the fix has rolled out to production.

Posted on --/--/---- --:-- AM
matt-google
Staff
Reply posted on --/--/---- --:-- AM

The fix has rolled out to production.