You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/11/16 18:26:04 UTC
cxf-fediz git commit: Adding malicious redirection test
Repository: cxf-fediz
Updated Branches:
refs/heads/master 562316478 -> a73b2654b
Adding malicious redirection test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a73b2654
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a73b2654
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a73b2654
Branch: refs/heads/master
Commit: a73b2654b48bf5dd80eef9613dfa03893a087991
Parents: 5623164
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Nov 16 16:53:49 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Nov 16 17:26:01 2015 +0000
----------------------------------------------------------------------
.../fediz/integrationtests/AbstractTests.java | 83 ++++++++++++++++++++
1 file changed, 83 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a73b2654/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 6c56ea3..160ff07 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -25,14 +25,21 @@ import org.w3c.dom.Node;
import com.gargoylesoftware.htmlunit.CookieManager;
import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.HttpMethod;
import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebRequest;
import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.DomNodeList;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
@@ -635,4 +642,80 @@ public abstract class AbstractTests {
Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure Test"));
}
+
+ @org.junit.Test
+ public void testMaliciousRedirect() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ // 1. Login
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+
+ // 2. Now we should have a cookie from the RP and IdP and should be able to do
+ // subsequent requests without authenticate again. Lets test this first.
+ WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ HtmlPage rpPage = webClient.getPage(url);
+ Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
+ || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));
+
+ // 3. Now a malicious user sends the client a URL with a bad "wreply" address to the IdP
+ String maliciousURL = "https://www.apache.org/attack";
+ String idpUrl
+ = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation";
+ idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8");
+ idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld";
+ idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A";
+
+ final WebClient webClient2 = new WebClient();
+ webClient2.setCookieManager(cookieManager);
+ webClient2.getOptions().setUseInsecureSSL(true);
+ webClient2.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient2.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient2.getPage(idpUrl);
+ webClient2.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Check that the form is to be posted to the malicious URL
+ DomNodeList<DomElement> formResults = idpPage.getElementsByTagName("form");
+ Assert.assertTrue(formResults.size() == 1);
+ Assert.assertEquals(formResults.get(0).getAttributeNS(null, "action"), maliciousURL);
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ }
+ }
+ Assert.assertNotNull(wresult);
+
+ // 4. Now the malicious user has the token. Try to invoke on the endpoint
+ final WebClient webClient3 = new WebClient();
+ webClient3.getOptions().setUseInsecureSSL(true);
+
+ WebRequest requestSettings = new WebRequest(new URL(url), HttpMethod.POST);
+
+ requestSettings.setRequestParameters(new ArrayList<NameValuePair>());
+ requestSettings.getRequestParameters().add(new NameValuePair("wa", "wsignin1.0"));
+ requestSettings.getRequestParameters().add(new NameValuePair("wresult", wresult));
+ requestSettings.getRequestParameters().add(new NameValuePair("wtrealm",
+ "urn:org:apache:cxf:fediz:fedizhelloworld"));
+
+ try {
+ rpPage = webClient3.getPage(url);
+ Assert.fail("Exception expected");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 401);
+ }
+ }
}