[security] Phishing issues with return_to url and realm
Dick Hardt
dick at sxip.com
Fri Feb 9 01:21:14 UTC 2007
On 8-Feb-07, at 5:03 PM, Allen Tom wrote:
> Hi Johnny,
>
> If the OP verifies the return_to by following all redirects until
> reaching the destination, then an evil RP could craft an Auth
> Request with the following parameters:
>
> realm=*.goodsite.com
> return_to=man.in.middle.redirect.com/legit_return_to.goodsite.com
In this example, if the realm is not contained in the domain of the
return_to, the OP would report an error to the user.
I agree with your original proposal about the OP verifying there are
no redirects by the return_to URL that do not contain the realm.
per my other message, a POST is not redirectable (new word?:-) unless
the redirect service is employing a JavaScript "hack"
More information about the security
mailing list