What is Unvalidated Redirects vulnerability and how to secure the Liferay Portal to prevent it?

Let’s start with a quick definition of  Unvalidated Redirects vulnerability.

Another name for Unvalidated Redirect is Open Redirect which is a security flaw in web applications (or web pages) and occurs when an attacker can redirect users to an untrusted site while they are clicking on a link on a trusted website. To have a better understanding of this attack, take a look at the sample below:

A HTTP GET request has been sent to a locally installed Liferay portal version 7 by using Insomnia application. The only change in this request is the Host parameter in the request Header which has been set to attacker.com.



When you look at the source code on the response body, you will find out that the hostname for many anchors, link and script tags have been changed to attacker.com. Consequently, if a user clicks on any of these links, he will redirect to the attacker’s website which he did not expect.


open-redirect-2

Therefore, in order to protect the Liferay Portal from these types of vulnerabilities, you need to configure portal-ext.properties which is located under the path below;

/tomcat-[VERSION]/webapps/ROOT/WEB-INF/classes/portal-ext.properties

And the configuration is:

# Input a list of comma-delimited valid domains and IPs that the portal is
# allowed to use.
#
virtual.hosts.valid.hosts=localhost,127.0.0.1,mysite.com