Warn about Open Redirect and Reply attacks

pitbulk · pitbulk · commit 4c4d54005b8d · 2021-10-18T21:21:11.000+02:00
diff --git a/README.md b/README.md
@@ -125,6 +125,36 @@ your environment is not secure and will be exposed to attacks.
 
 In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
+
+### Avoiding Open Redirect attacks ###
+
+Some implementations uses the RelayState parameter as a way to control the flow when SSO and SLO succeeded. So basically the
+user is redirected to the value of the RelayState.
+
+If you are using Signature Validation on the HTTP-Redirect binding, you will have the RelayState value integrity covered, otherwise, and
+on HTTP-POST binding, you can't trust the RelayState so before
+executing the validation, you need to verify that its value belong
+a trusted and expected URL.
+
+Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html).
+
+### Avoiding Reply attacks ###
+
+A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
+
+SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
+make harder this kind of attacks, but they are still possible.
+
+In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need
+to be stored the amount of time of the SAML Message life time, so 
+we don't need to store all processed message/assertion Ids, but the most recent ones.
+
+The OneLogin_Saml2_Auth class contains the [get_last_request_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L357), [get_last_message_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L364) and [get_last_assertion_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L371) methods to retrieve the IDs 
+
+Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent reply
+attacks.
+
+
 Getting Started
 ---------------
 
diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
@@ -84,6 +84,8 @@ def index(request):
             request.session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
             request.session['samlSessionIndex'] = auth.get_session_index()
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the req['post_data']['RelayState'] is a trusted URL.
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
         elif auth.get_settings().is_debug_active():
             error_reason = auth.get_last_error_reason()
@@ -96,6 +98,8 @@ def index(request):
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the url is a trusted URL
                 return HttpResponseRedirect(url)
             else:
                 success_slo = True
diff --git a/demo-flask/index.py b/demo-flask/index.py
@@ -83,6 +83,8 @@ def index():
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the request.form['RelayState'] is a trusted URL.
                 return redirect(auth.redirect_to(request.form['RelayState']))
         elif auth.get_settings().is_debug_active():
             error_reason = auth.get_last_error_reason()
@@ -95,6 +97,8 @@ def index():
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the url is a trusted URL.
                 return redirect(url)
             else:
                 success_slo = True
diff --git a/demo-tornado/views.py b/demo-tornado/views.py
@@ -46,6 +46,8 @@ def post(self):
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in self.request.arguments and self_url != self.request.arguments['RelayState'][0].decode('utf-8'):
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the self.request.arguments['RelayState'][0] is a trusted URL.
                 return self.redirect(self.request.arguments['RelayState'][0].decode('utf-8'))
         elif auth.get_settings().is_debug_active():
             error_reason = auth.get_last_error_reason()
@@ -104,6 +106,8 @@ def get(self):
             errors = auth.get_errors()
             if len(errors) == 0:
                 if url is not None:
+                    # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                    # the value of the url is a trusted URL.
                     return self.redirect(url)
                 else:
                     success_slo = True
diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
@@ -70,6 +70,8 @@ def index(request):
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.POST and self_url != request.POST['RelayState']:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the request.POST['RelayState'] is a trusted URL.
                 return HTTPFound(auth.redirect_to(request.POST['RelayState']))
         else:
             error_reason = auth.get_last_error_reason()
@@ -79,6 +81,8 @@ def index(request):
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the url is a trusted URL.
                 return HTTPFound(url)
             else:
                 success_slo = True
