cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/6] cxf-fediz git commit: Adding malicious redirection test
Date Mon, 18 Jan 2016 14:18:13 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/1.2.x-fixes 46b05ed9a -> 85258b076


Adding malicious redirection test


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/8c99b2f6
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/8c99b2f6
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/8c99b2f6

Branch: refs/heads/1.2.x-fixes
Commit: 8c99b2f672c6525fccde600f8cd502956194b7d1
Parents: 46b05ed
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Nov 16 16:53:49 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 18 13:42:05 2016 +0000

----------------------------------------------------------------------
 .../fediz/integrationtests/AbstractTests.java   | 82 ++++++++++++++++++++
 1 file changed, 82 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8c99b2f6/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index c636aeb..88ab429 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -25,14 +25,21 @@ import org.w3c.dom.Node;
 
 import com.gargoylesoftware.htmlunit.CookieManager;
 import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.HttpMethod;
 import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebRequest;
 import com.gargoylesoftware.htmlunit.html.DomElement;
 import com.gargoylesoftware.htmlunit.html.DomNodeList;
 import com.gargoylesoftware.htmlunit.html.HtmlForm;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
 import com.gargoylesoftware.htmlunit.xml.XmlPage;
 
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+
 import org.apache.cxf.fediz.core.ClaimTypes;
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.util.DOMUtils;
@@ -577,4 +584,79 @@ public abstract class AbstractTests {
         Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure
Test"));
     }
     
+    @org.junit.Test
+    public void testMaliciousRedirect() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        String user = "alice";
+        String password = "ecila";
+        
+        CookieManager cookieManager = new CookieManager();
+        
+        // 1. Login
+        HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+        
+        // 2. Now we should have a cookie from the RP and IdP and should be able to do
+        // subsequent requests without authenticate again. Lets test this first.
+        WebClient webClient = new WebClient();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        HtmlPage rpPage = webClient.getPage(url);
+        Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
+                          || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));
+        
+        // 3. Now a malicious user sends the client a URL with a bad "wreply" address to
the IdP
+        String maliciousURL = "https://www.apache.org/attack";
+        String idpUrl
+         = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation";
+        idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8");
+        idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld";
+        idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A";
+        
+        final WebClient webClient2 = new WebClient();
+        webClient2.setCookieManager(cookieManager);
+        webClient2.getOptions().setUseInsecureSSL(true);
+        webClient2.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient2.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient2.getPage(idpUrl);
+        webClient2.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Check that the form is to be posted to the malicious URL
+        DomNodeList<DomElement> formResults = idpPage.getElementsByTagName("form");
+        Assert.assertTrue(formResults.size() == 1);
+        Assert.assertEquals(formResults.get(0).getAttributeNS(null, "action"), maliciousURL);
+        
+        // Parse the form to get the token (wresult)
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+        
+        String wresult = null;
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                wresult = result.getAttributeNS(null, "value");
+            }
+        }
+        Assert.assertNotNull(wresult);
+
+        // 4. Now the malicious user has the token. Try to invoke on the endpoint
+        final WebClient webClient3 = new WebClient();
+        webClient3.getOptions().setUseInsecureSSL(true);
+        
+        WebRequest requestSettings = new WebRequest(new URL(url), HttpMethod.POST);
+
+        requestSettings.setRequestParameters(new ArrayList<NameValuePair>());
+        requestSettings.getRequestParameters().add(new NameValuePair("wa", "wsignin1.0"));
+        requestSettings.getRequestParameters().add(new NameValuePair("wresult", wresult));
+        requestSettings.getRequestParameters().add(new NameValuePair("wtrealm", 
+                                                                     "urn:org:apache:cxf:fediz:fedizhelloworld"));
+
+        try {
+            rpPage = webClient3.getPage(url);
+            Assert.fail("Exception expected");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 401);
+        }
+    }
 }


Mime
View raw message