Recently I found a problem with an authentication library. The hyperlink the user clicks to access private content looks something like this:
https://www.authenticateme.com/auth.asp?url=http://www.privatecontent.com/1337
So normally, after the user enters their credentials on the auth.asp page, they are redirected to privatecontent.com/1337 ... or they could just go directly to that page, bypassing any security restrictions. They can then enumerate and access other content based on the formula of the URL.
Additionally, this qualifies as an open redirect, since an attacker could append their own attack server's address to "url=", then send the link to a victim, and then the attacker will receive the credentials passed through the authentication page.
No comments:
Post a Comment