-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory Title =============== ARA-2018-002: Open redirect in prescreen.io web applications Affected Product(s) and Environment(s) ======================================= Product: jobbase.io and prescreenapp.io (Prescreen International GmbH) Environments: All browsers and operating systems Security Risk =============== Severity: Medium Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')(CWE-601) CVSS v3: 5.4 ## Impact Confidentiality: Low Integrity: Low Availability: None ## Exploitability Access Vector: Network Access Complexity: Low Privileges Required: None User Interaction: Required ## Scope Scope: Unchanged Remediation Level ================ Unavailable Timeline ======== 2018-11-02: Vendor Notification 2018-12-11: Vendor Fix (incomplete) 2018-12-13: Request for Completion of Fix 2018-12-14: Vendor Fix (complete) 2018-12-20: Public Disclosure Description Summary ===================== The application management tools of the vendor prescreen.io allow open redirects to third party websites. Product Introduction: ====================== "Prescreen is a cloud-based applicant tracking system that enables you to publish job vacancies online and offline and give candidates the opportunity to apply for jobs directly. Prescreen gathers all applications collectively, analyses the data and helps you with your evaluation. This makes time and labour-intensive processes more efficient." [Prescreen website](https://prescreen.io/en/) Technical Description ====================== The prescreen web applications use a redirect parameter in an URL they send to users by e-mail. These URLs have the format https://.jobbase.io/auth/?ref=https://.jobbase.io/apply?skip_intro=true&src=wl for the candidate frontend jobbase.io and https://.prescreenapp.io/user/auth/2q0f3ga4ngmc4kc8cggcs044kows4wc?ref=//.prescreenapp.io/recruiter/job/new for the employer frontend prescreenapp.io. Proof of Concept (PoC) ====================== A malicious user can utilize this redirect function for an open redirect to a website not controlled by prescreen. For example, he can set up a phishing page with the domain evilpage.de and use the open redirect to forward users to this domain. The URL to use in this case would be: https://test2.prescreenapp.io/user/auth/2q0f3ga4ngmc4kc8cggcs044kows4wc?ref=//evilpage.de or https://test2.jobbase.io/auth/byt5a65xp340k80kww44sogcw80scwc?ref=https://evilpage.de. Limiting the allowed values of the parameter 'ref' by whitelisting only 'jobbase.io' and 'prescreenapp.io' is not sufficient: Attackers could bypass this measure by setting up phishing pages like jobbase.io.evilpage.de or prescreenapp.io.evilpage.de, and use the open redirect nonwithstanding the whitelisting to forward users to domains outside of prescreen's control. In this case, the URL would look like this: https://test2.prescreenapp.io/user/auth/2q0f3ga4ngmc4kc8cggcs044kows4wc?ref=//prescreenapp.io.evilpage.de or https://test2.jobbase.io/auth/byt5a65xp340k80kww44sogcw80scwc?ref=https://jobbase.io.evilpage.de. Since the redirect seems to require a valid token, the attacker has to generate a valid token before sending out the e-mail with the redirect URL. Solution ======== The value of the parameter 'ref' should be validated before the redirect is executed. In general, open redirects to websites outside the own control should be dismissed. This should be implemented by strictly defining the regular expression allowed as value of the parameter 'ref', making use of 'begins with' and 'ends with' syntax. References =========== [aramido responsible disclosure policy](https://aramido.de/blog/Sicherheitshinweise) Author ====== Armin Harbrecht, aramido GmbH E-mail: armin.harbrecht@aramido.de PGP-Key: https://aramido.de/armin.harbrecht.asc PGP-Fingerprint: E644 A4BD 7723 8620 FDA5 88C5 C483 060D 2B5F 83A0 Disclaimer =========== The information provided in this advisory is provided "as is" without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Copyright ========== CC-BY-4.0 http://creativecommons.org/licenses/by/4.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJcG8UKAAoJEM5Pl4/4kex/JSkP+wX+01g/ZzGh4VE9CZlCCjFb LBGM7d/9OGoUng3ZjhaxkPmR8CcmH5yxPR6xXUaoiI70FoEAqQrxEY9osG5wW54Q sc5CovyP1+BZjAenSllI51GJxvxGsXHUT4FzuKLYoMk3dK/MIHWcsgLMEQ5PL4PN QSSwZ6c4AQ17xP6UE1knLe78WquoxjGTbWQ9MHX3nOdC4ToKCyZP4Uif2xIP4NQn BPiG5TLpWpNkHNgiibkmsfeRxJaso95uymdo7yNRAsZfcYDPlNKvjVkVHQrOFEnP ZceEIAxoju7pG05hO0DUcobzFGpN8dz7k186GQFPY3hC+YtT/eGffOiYOHjKH5dl G5M5Dd4BGY6D1ZlwQpOMnxILF86AEkaS9Q2st405+Yv8xsDZzTpgxcYe+H7rJsQY lPa/NKT//MtC1J3flIJxI6LsmsCfR5KOgnGTGJ29S/vWv4jwMgHvYbRZvwcG49Dn caeKcmLkpcApxmam68iy2zH1mUUnALPGfG96zMJh00KZytKZlbiDSN0bfvxKdz0X tj0VmCVq2uT+sLxkWDePaHvA8vt6Imq2kBB5dxpV5o9DDRX4pD7UeUT9OniBRk+Q gRMYM6diRT4STSJTYBpJIYR880JwsJ1I9sCudaYVIKXUkwpSC1m6yr+lgHQzSgW8 9G7Otx/2PZg9muOSbOg0 =1UCe -----END PGP SIGNATURE-----