On RegisterService line 137, assuming
AutoLogin = true…
Continue = request.Continue ?? base.Request.GetQueryStringOrForm(Keywords.ReturnUrl)
And AuthenticateService line 220 - 225
var referrerUrl = request.Continue ?? session.ReferrerUrl ?? request.Continue ?? base.Request.GetQueryStringOrForm(Keywords.ReturnUrl) ?? this.Request.GetHeader(HttpHeaders.Referer) ?? authProvider.CallbackUrl;
IMO it probably isn’t ok (security issue) to redirect on QueryString value (and probably
HttpHeaders.Referer and I’m not sure about
CallbackUrl, I didn’t follow the code thru the auth providers) without checking whether it’s a site/safe url. Bad actors could send them to register on the site and then redirect them elsewhere to a malicious site that looks like the victim site.
For example, the
ReturnUrl could redirect them to a page on a malicious site that indicates their login is incorrect (when it was correct on the victim site) and have them sign in again and therefore collecting their information.
Example using SimpleAuth.Mvc:
This will sign you in and then redirect you to DuckDuckGo.com
Granted the attack vector on
RegisterService would only work if
request.Continue wasn’t filled.
- a Continue validator (maybe default to same domain as request)
- a switch (true/false) to turn off querystring or Continue functionality
- whatever the genius called mythz comes up with