Add test for example wildcard redirect domain from IETF doc and others #2147
Description
Add test for example wildcard redirect domain from IETF doc and others
Description
From https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/21/
Assume the redirect URL pattern https://*.somesite.example/* is
registered for the client with the client ID s6BhdRkqt3. The
intention is to allow any subdomain of somesite.example to be a valid
redirect URI for the client, for example
https://app1.somesite.example/redirect. A naive implementation on
the authorization server, however, might interpret the wildcard * as
"any character" and not "any character valid for a domain name". The
authorization server, therefore, might permit
https://attacker.example/.somesite.example as a redirect URI,
although attacker.example is a different domain potentially
controlled by a malicious party.
Since we are now allowing wildcard redirects, we should write a test that https://attacker.example/.somesite.example is always invalid.
This PDF has some other examples of redirect URLs to test (starting around page 15): https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Wang-Make-Redirection-Evil-Again.pdf
Manual testing indicates that FusionAuth currently rejects https://attacker.example/.somesite.example, but it'd be good to have an automated test to prevent regressions.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Metadata
Metadata
Assignees
Type
Projects
Status