Is it possible to disable the task.RedirectURL feature in IDM?

book

Article ID: 226020

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Recent penetration testing, discovered potential vulnerability with the IDM "task.RedirectURL" function. The task.RedirectURL function allows an attacker to redirect a user after a task has been completed on the application. An attacker may redirect a user to a malicious website hosting malware or other exploits.

Is it possible to disable this redirect?

Environment

Release : 14.3, 14.4

Component : Identity Manager

Resolution

It is not possible to disable the redirect within IDM, it is a purposeful feature to allow better integration within an overall corporate website.   You can restrict the URL for the redirect to specific Domains to prevent security exploits. 

 

Please see: URLRedirectDomains 

To allow access to a public self-service task from a corporate website, you can add a link to any web page. When a user clicks the link, a task screen opens. When the user completes the task, they are redirected to the User Console by default. To change the page to which users are redirected, you can append the task.RedirectURL tag to the URL associated with the link. But this action can result in security breach if a malicious user decides to redirect to a desired URL.
To avoid this issue, specify the list of domains to which the user must be redirected to in this user-defined property. Specify the domains as comma separated values
Values: <domain1>, <domain2>, <domain3>
Examples: forwardinc.com, hedmoral.com, jedmere.com


This property can be added under the Environment > {IME} > Advanced Settings > Miscellaneous:

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=D5Srnr9ZgvrF2R15tCMBqQ==

 

Additional Information

If you are integrated with Siteminder SSO you can also Define Valid Target Domains in Siteminder configuration.