We do not allow redirection outside the app, unless there is a bug. Did you check this?
On Aug 25, 10:59 am, Eric Enns <ee...@seccuris.com> wrote: > Hey, > > I know this has been discussed before, but this issued is now in the OWASP > top ten web application > vulnerabilitieshttps://www.owasp.org/index.php/Top_10_2010-A10. The > vulnerability is the feature ?_next=<SITE>. One way this good be exploited > according to the vulnerability is a attacker gives out a link to the login > page of your site a uniformed user attempts to login which on success gets > redirected to the phishing site. On said site the attacker makes it look the > same and shows the form error invalid credentials the user attempts to login > again and gets redirected to the valid site. Now the attacker has the users > credentials and a way into the site. A suggested solution is on default to > only allow _next to redirect to a site within the application and have a > config file or variable which contains a whitelist of sites that are allowed > to be redirected to. > > -Eric > > This communication, including any attachments, does not necessarily represent > official policy of Seccuris Inc. > Please seehttp://www.seccuris.com/Contact-PrivacyPolicy.htm for further > details about Seccuris Inc.'s Privacy Policy. > If you have received this communication in error, please notify Seccuris Inc. > at i...@seccuris.com or at 1-866-644-8442.
