We tried to add the below in the Content Security Policy(CSP) ( Publish → Portals → Security → ); but it is not preventing the redirection. Could you please let us know what is missing? Is there any way to prevent such injection attacks?
Don’t have a solution but I am also interested to know if there is a known solution to prevent redirect via URL injection. I tested out the example provided by ‘vernon08’ in our own integrated developer portal and the redirect behaviour occurred just as was described.
vernon08, can you explain specifically where you’re providing that URL as input?
Here is my understanding of URL injection: a malicious person must provide input to the website, and in that specially-crafted input, there’s a URL that is camouflaged or obscured, and the website is induced to … de-reference that URL and retrieve something, which then… leads to a problem.
I am not understanding where the vulneraiblity is… In which data field, on which devportal page, would a malicious user provide that URL, to lead to the URL injection?
I’m understanding the vulnerability as that a malicious actor may construct a URL with a ‘trusted’ hostname (e.g. for a published portal) that is allowed to redirect the user to a different (malicious) URL with a different host.
Thank you for reporting - the issue has already been acknowledged and a fix is being released.
This issue was recently reported to us through another channel, and a fix is slated to be rolled out in approximately a week. We don’t have a public bug tracker but I will update this thread when the fix has been released.
Update 3/26/24 - the fix has rolled out to production.