Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flow

Impact

An attacker can associate their FOLIO account with a victim’s session on the FOLIO application. This could result in a victim unknowingly using an attacker’s FOLIO account while interacting with the application.

Description

The FOLIO application does not employ any mechanism to prevent CSRF attacks in the SSO flow. The first endpoint on the application accepts the SAMLResponse parameter, sets a session ID on the client and redirects the user to the second endpoint which retrieves the JWT from the query parameters to interact with the API endpoints. A user of the FOLIO application can submit personal and potentially sensitive information related to patrons, tenants and libraries to the application. As a result, the attacker would be able to observe all activities through their own FOLIO account. It should be noted that both of the target endpoints can be used to perform a CSRF attack during the SSO flow.

Repro steps

1. Log in to the application using an attacker’s account with SSO enabled. Intercept the request to the SSO endpoint (the first endpoint in the Location section) on the application, copy the request and drop it afterwards.
2. Browse to the previously copied URL in a new browser instance with cleared cookies and observe the login flow completes successfully.

1. Obtain a valid token from an attacker account and open the following URL (with the value of ssoToken replaced by the obtained token) in a new browser session:

https://bugfest.folio.ebsco.com/sso- landing?ssoToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1p biIsInVzZXJfaWQiOiJhMDU4ZjI4Zi04MGFjLTQ5OTQtYWRkNi1lNGQwMmZjMjM4ZmUiLCJpYXQi OjE1ODIyMzE1MjMsInRlbmFudCI6ImZzMDAwMDEwMDAifQ.u4xRSZQnE1PjiYttQSNVd3JJ_Su44 zOQRu2dprnQ67U&fwd=%2F

Recomendation

Ensure that a state parameter similar to OAuth 2.0 state parameter is utilized to maintain the state between the Idp and the application . The state parameter should be used to protect the clients by passing a unique, securely generated random string as the value of the parameter when redirecting a user to the callback endpoint on the application. For more information on this, refer to RFC6749.