Wildcard for HOST element in RequestMap

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Wildcard for HOST element in RequestMap

athukral

Hi,

For native SPs, applications configuration is picked up from RequestMapper element from shibboleth2.xml. The sub-element tag HOST of a  RequestMap defines application specific configuration for authentication, authorization and application protection. The HOST element here CANNOT be a wildcard character as per shibboleth2.xml configuration helps etc.

This creates an issue where a possible attack vector where a nefarious user can update their local system’s host-file to use a custom domain OR simply navigate to the IP address of the https://<host-ip-address>/<url>. Either of these options will allow for the application match NOT to be met in shibboleth2.xml and thus, the SAML authentication requirement would be skipped entirely.

Had RequestMap element supported, the wildcard in the Host match, versus the requirement that we have to specify a unique name. The above vulnerability would not have existed. This creates the vulnerability that ONLY protects any request to that specific URL.


Regards,

Amit Thukral


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard for HOST element in RequestMap

Cantor, Scott E.
On 8/14/19, 8:00 AM, "dev on behalf of Amit Thukral" <[hidden email] on behalf of [hidden email]> wrote:

> For native SPs, applications configuration is picked up from RequestMapper element from shibboleth2.xml

Not on Apache unless you ignore all of the documentation and warnings about it.

> This creates an issue where a possible attack vector where a nefarious user can update their local system’s host-file to
> use a custom domain OR simply navigate to the IP address of the https://<host-ip-address>/<url>. Either of these
> options will allow for the application match NOT to be met in shibboleth2.xml and thus, the SAML authentication
> requirement would be skipped entirely.

No, it doesn't. On Apache you set UseCanonicalName, and on IIS the name is explicitly set in the configuration.

> Had RequestMap element supported, the wildcard in the Host match

It does, HostRegex.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]