Bugfix
The application does not provide the state parameter in the authentication flow. Attackers can exploit this behavior for Cross-Site Request Forgery (CSRF) attacks. The usage of a state parameter with a high entropy is required.
For example: Opening the following URL https://my.server/my-app/servlet/callback?client_name=pac4j-generic&code=LMC22f[...]AAABn results in the output of a session cookie and thus in a successful login to the application, despite no state parameter value provided. An attacker could exploit this behavior to perform a Cross-Site Request Forgery (CSRF) attack. By clicking this link, a user's own session is overwritten with the attacker's session. If a user does not notice the session switch, sensitive information could be stored in the attacker's account.
Configuration
A CSRF token is generated if this is enabled via the configuration.
<with-state>true</with-state>
In:
<config service-class="com.top_logic.security.auth.pac4j.config.Pac4jConfigFactory"> <instance> <clients> <client name="..."> <with-state>true</with-state> </client> </clients> </instance> </config>
Improvement
The default value for "with-state" is set to <code>true</code>, so that this must be explicitly configured away in future if you do not want protection against CSRF.
Test
- Login via OIDC
- Check that a token is generated in org.pac4j.core.util.generator.RandomValueGenerator.generateValue(CallContext)
- and that in org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(CallContext) the token is compared with the token stored in the session.