[Progress News] [Progress OpenEdge ABL] Sitefintiy CMS 11.1 Now Includes OpenRedirect Protection

Status
Not open for further replies.
B

Boyan Barnev

Guest
The built-in redirect validation mechanism introduced in Sitefinity CMS 11.1 now protects your website against Open Redirect vulnerabilities, eliminating one more way for malicious actors to attack your users.

One of the basic web security habits says check your hyperlinks before you click them. But how does this apply to the real-life example of a busy professional, rushing through the day, clicking through potentially thousands of links? Truth is, time is never enough to inspect every single link, and attackers are getting so crafty that even careful inspection might sometimes mislead you.

Sitefinity CMS takes some of that burden off your plate. Version 11.1 introduces an out-of-the-box redirect validation mechanism as part of the Web Security Module. Before we proceed with a walk-through of the new feature, let’s take a moment to summarize the problem it solves.

The OpenRedirect Vulnerability Described in 4 Steps


Let’s say, for example, that you own a popular website doing eCommerce. Your website, http://examplewebsite.com, has some logic to parse URL query strings and redirect users to a desired payment provider, based on the query string value. An attacker is exploiting this vulnerability by creating a website with similar look and feel to one of the payment providers you are using. Your website is a popular one, thus it’s easy for the attacker to send a blast of fraudulent emails, for example by using a “Confirm your payment details” subject line, to users. The emails contain a hyperlink leading to your site, but in the query string they are passing the URL of their malicious site. For example: http://examplewebsite.com/paymentdetails?url=http://malicious.examplewebsite.com.

Here’s how it goes for the unsuspecting user:

  1. User receives the link in an email and clicks on it
  2. A browser is opened to serve the link, and sends a request to the server
  3. The server processes the query string and sends a response to the browser, instructing it to take the user to another location—the malicious site
  4. The unsuspecting user doesn’t notice anything, as the malicious site is carefully masked to look just like the real payment provider site and proceeds by entering their payment details.

As the saying goes, a picture is worth a thousand words:


This scenario describes an unvalidated redirects and forwards vulnerability, also known as Open Redirect.

How Sitefinity CMS Can Help


The built-in redirect validation mechanism introduced in Sitefinity CMS 11.1 protects your website (both frontend and backend) against Open Redirect vulnerabilities. The web security module prevents any malicious attempts to redirect users to an external location. This mechanism works by checking a detected redirect attempt against a configurable whitelist of trusted domains. If the web security module detects redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays a warning message to the user instead of doing the redirect.

openredirectwarningscreen.png



The warning screen informs users about the detected redirect attempt and provides further information about the redirect URL parameters. Users can decide whether to proceed to the redirecting page or return to your Sitefinity CMS website home page. A really well-thought-of detail is the ability to fully customize the redirect validation warning page, enabling users to benefit from the security functionality and integrate it with their existing website look and feel.

The redirect validation mechanism feature is smart enough to detect any attempts to redirect to external domains, that’s for sure. But it will only take care of detecting the redirect and displaying a warning. The decision whether to proceed with the link or return to the homepage is up to the site visitors. Additionally, redirect validation will not provide protection against a click on a link which points directly to an external domain. There is no way for the Sitefinity CMS web security module to intervene in such cases, as this request never goes to your website server, but gets executed directly by the browser.

Redirect validation is enabled by default for all new projects created with Sitefinity CMS 11.1, so you get this protection right away. For those of you planning to upgrade existing projects to 11.1, redirect validation brings one more great reason to do so. Be aware that the feature is not enabled by default for upgraded projects. Make sure to add enabling it on your upgrade to-do checklist, unless you have a good reason not to benefit from this great new addition to Sitefinity CMS web security module.

Continue reading...
 
Status
Not open for further replies.
Top