Federation SMPORTALURL can be manipulated and poses an OpenRedirect Vulnerability.
How can the Federation SMPORTALURL be secured from OpenRedirect Vulnerability as today it can be manipulated and the user can be redirected to a malicious target?
How to validate the value of SMPORTALURL before the browser gets redirected to it. This is to prevent the request from being directed to an undesired site.
The SMPORTALURL Vulnerability was addressed within the 12.52 SP1 Release where a "Use Secure URL" check box was introduced to encrypt only the SMPORTALURL query parameter (1)(2).
The encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website.
(1)
This setting instructs the single sign-on service to encrypt
only the SMPORTALURL query parameter. An encrypted SMPORTALURL
prevents a malicious user from modifying the value and
redirecting authenticated users to a malicious website. The
SMPORTALURL is appended to the Authentication URL before the
browser redirects the user to establish a session. After the
user is authenticated, the browser directs the user back to the
destination specified in the SMPORTALURL query parameter.
If you select the User Secure URL check box, complete the
following steps:
1. Set the Authentication URL field to the following URL:
http(s)://idp_server:port/affwebservices/secure/secureredirect
(2)
Defects Fixed in 12.52 SP1 CR06
| Salesforce Case Number | Internal Defect ID | Issue Description |
|------------------------+--------------------+-----------------------------------|
| 00355124 | DE159107 | SMPORTALURL query value can |
| 00454067 | DE198549 | be manipulated as it does not get |
| | | encrypted while redirecting to |
| | | redirect.jsp |