the proxy uses an unsafe redirect. One could use a specially crafted URL, encoded base64, which points to an internal host controlled by an hacker. the hacker could sent the following link via email to another internal user.
http://Proxy:8080/auth/?du=[urlinbase64]
To a user reading the email with this link, the url looks legitimate with a reference to the proxy and an internal host ( however, encoded in base64).
If the user should click on this link, the browser automatically send the user's credentials. If as shown below, the hacker runs a program in order to sniff the LTM Hashes sent, the hacker is than able to impersonate as a valid, trusted user.
V10K G2 appliance, running 7.7.3
Below proof, showing that this type of attack can be successful
RFE: please do not make use of this kind of redirection on an URL parameter.
INternal reference : M06
< picture available >
↧
unsafe redirect in the authentication handler of the proxy appliance
↧