TABLE OF CONTENTS

Service providers that use the Shibboleth SP software and were installed with a version earlier than 3.1.0 may be vulnerable to abuse as an open redirector even if you have upgraded your Shibboleth software. 

Installations from v3.1.0 and beyond should be protected by the new redirectLimit="exact" setting in the < Sessions > element of your shibbolethv2.xml configuration file. You should verify to be certain!


Background

URL redirectors represent common functionality employed by web sites to forward an incoming request to an alternate resource. This can be done for a variety of reasons. The Shibboleth SP uses URL redirectors as part of the login and logout flows generally as an outgoing links directing the user's browser to a meaningful end. It is this last URL which is often used in phishing attacks as described in the example below. URL redirectors do not necessarily represent a direct security vulnerability but can be abused by attackers trying to social engineer victims into believing that they are navigating to a site other than the true destination.


Phishing Example

In the example below, assume that service.aaf.example.edu.au wants visitors land on their home page after logging out. The Shibboleth SP software provides the return parameter to redirect the user a specified site. In the example below, the SP redirects the user to the services home page on completion of logout. The return takes a URL which will be the ultimate destination as a parameter.


 http://service.aaf.example.edu.au/Shibboleth.sso/Logout?return=http://service.aaf.example.edu.au

 

When such functionality is identified on popular websites and services, phishers may take advantage of it to fool unsuspecting users into believing that they are navigating to the well known site as opposed to the attacker controlled site. For example, an attacker could leverage the previous redirect to trick a user into surfing to the attacker controlled evil.com website by embedding the following URL in an HTML email message or on a web site.


http://service.aaf.example.edu.au/Shibboleth.sso/Logout?return=http://evil.com/evil_page.html

 

When the victim checks the destination URL perhaps by hovering over the link and noting the address in the status bar they may mistakenly believe that they were surfing to the trusted service.aaf.example.edu.au, not the evil.com site. This may succeed because users are accustomed to only recognizing the initial domain name or perhaps lengthy URLs will be truncated in the display. Attackers can also enhance such a social engineering attack by further obfuscating the redirected URL through various obfuscation techniques. For example, the URL below displays the same redirected URL but the 'evil.com' domain has been converted to its hexadecimal equivalent.


 http://service.aaf.example.edu.au/Shibboleth.sso/Logout?return=http://%65%76%69%6c%2e%63%6f%6d/evil_page.html


Is your SP vulnerable?


If you are running a version of the Shibboleth SP software that is earlier than version 3.1.0 then your SP is vulnerable!


If your Shibboleth SP redirecta you to the Google home page and does not respond with the error message "Blocked unacceptable redirect location." when you craft a URL similar to the following; your SP is vulnerable!


https://validator.test.aaf.edu.au/Shibboleth.sso/Logout?return=https://www.google.com


 [Note: Replace validator.test.aaf.edu.au with your own service domain to test]


If your Shibboleth configuration file /etc/shibboleth/shibboleth2.xml file does not contain redirectLimit="exact" or similar in the < Sessions > element then your SP is vulnerable!


Ensuring your SP is not vulnerable

To ensure your Shibboleth SP is not vulnerable to this type of attack and possible reputational damage follow these simple steps;


  1. Upgrade your Shibboleth SP software to the latest version
    • If you are still running version 2 visit Upgrading From V2 on the Shibboleth wiki for details
    • For Shibboleth V3 visit the Installation page and select your operating system for specifics on upgrading
  2. Edit your your Shibboleth configuration file /opt/shibboleth/shibboleth2.xml file and add the attribute redirectLimit="exact" to the < Sessions > element.


<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="false" cookieProps="http"
                  redirectLimit="exact">

Visit the Shibboleth V3 Sessions documentation for more advanced options for limiting redirect URLs.


3. Restart your Shibboleth SP. Check the log files to ensure the SP restarted correctly. 

  • Check /var/log/shibboleth/shibd_warn.log for errors.

4. Test your site to ensure redirections to unwanted sites is no longer possible.


Your SP is no longer vulnerable.



References

URL Redirector Abuse

[1] http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse


Shibboleth Wiki - Service Provider 3

[2] https://shibboleth.atlassian.net/wiki/spaces/SP3/overview?homepageId=2058387896