| عنوان | GitHub hsweb-framework 5.0.0 Open Redirect |
|---|
| الوصف | ### Overview
The OAuth2 authorization endpoint validates redirect_uri using a string prefix check:
redirectUri.startsWith(this.redirectUrl)
String redirectUri = param.getOrDefault("redirect_uri", client.getRedirectUrl());
client.validateRedirectUri(redirectUri);
public void validateRedirectUri(String redirectUri) {
if (ObjectUtils.isEmpty(redirectUri) || (!redirectUri.startsWith(this.redirectUrl))) {
throw new OAuth2Exception(ErrorType.ILLEGAL_REDIRECT_URI);
}
}
### Impact
Assume an OAuth2 client has registered the following callback URL:
https://trusted.example.com
An attacker can submit the following redirect_uri:
https://trusted.example.com:[email protected]
This value passes the startsWith("https://trusted.example.com") validation. However, according to URL parsing semantics, the actual destination host is evil.com, while trusted.example.com:password is treated as the URL userinfo component.
An attacker could exploit this behavior to redirect the authorization code to evil.com, creating an authorization code leakage risk.
### Simple Verification
GET /oauth2/authorize?response_type=code&client_id=<clientId>&redirect_uri=https://trusted.example.com:[email protected]/callback&state=audit
The validation passes and returns a URL similar to:
https://trusted.example.com:[email protected]/callback?code=<authorization_code>&state=audit
If the caller proceeds to redirect to this URL, the authorization code will be sent to the attacker-controlled domain evil.com. |
|---|
| المصدر | ⚠️ https://github.com/hs-web/hsweb-framework/issues/354 |
|---|
| المستخدم | 0Xrry (UID 86188) |
|---|
| ارسال | 20/05/2026 09:37 AM (22 أيام منذ) |
|---|
| الاعتدال | 07/06/2026 11:40 AM (18 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 369097 [hs-web hsweb-framework حتى 5.0.1 OAuth2 Client OAuth2Client.java OAuth2Client Redirect] |
|---|
| النقاط | 20 |
|---|