microservices-platform icon indicating copy to clipboard operation
microservices-platform copied to clipboard
verified publisher icon zlt2000

Open Redirect Vulnerability

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

In the latest version 6.0.0, the OAuth logout functionality performs a URL redirect action when clearing tokens. However, this parameter is user-controllable and lacks security validation, allowing attackers to exploit this vulnerability to launch phishing and other attacks against users.

Details

  • src/main/java/com/central/oauth/handler/OauthLogoutSuccessHandler.java
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
    if (securityProperties.getAuth().getUnifiedLogout()) {
       unifiedLogoutService.allLogout();
    }

    String redirectUri = request.getParameter(REDIRECT_URL);
    if (StrUtil.isNotEmpty(redirectUri)) {
       //重定向指定的地址
       redirectStrategy.sendRedirect(request, response, redirectUri);
    } else {
       ResponseUtil.responseWriter(objectMapper, response, "登出成功", 0);
    }
}

POC

http://localhost:9900/api-uaa/oauth/remove/token?redirect_url=http://google.com/

NinjaGPT avatar Jul 26 '25 01:07 NinjaGPT