I've a Liferay community edition version 7.4.3.25-ga25 and I'm trying to analyze its security using OWASP ZAP tool. I receive, among other things, an high level alert on external redirect which I do not understand. Here are the details:
- URL: https://my.liferay.it/c/portal/login?p_l_id=20184&windowState=8378327876640720401.owasp.org
- method: GET
- attack: 8378327876640720401.owasp.org
- evidence: 8378327876640720401.owasp.org
- Reference http://projects.webappsec.org/URL-Redirector-Abuse and http://cwe.mitre.org/data/definitions/601.html
- CWE Id 601
- WASC Id 38
- Plugin Id 20019
I can't understand what type of attack it is this, the page does effectively a redirect but it remains on the same domain and login page, I've only more parameters on the URL bar.
I've searched the web but did non find any useful information. By the way, I do not control such Liferay behaviour, I've not made any customization to the framework which alters the login page behaviour.
Can someone help me to figure it out the problem? Thanks
CodePudding user response:
I'm guessing that your response contains location: https://my.liferay.it/c/portal/login?p_l_id=20184&windowState=8378327876640720401.owasp.org since that contains the injected destination it's counting it as vuln.
I've submitted a fix to address this False Positive condition so that the checking is more restrictive.
After https://github.com/zaproxy/zap-extensions/pull/4116 is merged and the add-on re-released then you're example redirect https://my.liferay.it/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=0&p_p_state=8378327876640720401.owasp.org&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=/login/login&saveLastPath=false
should no longer trigger an alert.
CodePudding user response:
Are you using the ZAP Desktop? If so then have a look to see if any requests are made to the owasp.org domain.