Added: ability to match hostname to block open redirect vulns.

Author: dave83649

src/Extensions/ExtensionInterface.php

@@ -51,6 +51,14 @@ public function forceExit($ruleId);
      */
     public function getIpAddress();
 
+    /**
+     * Get the hostname of the environment.
+     * This is only used for open redirect vulnerabilities.
+     * 
+     * @return string
+     */
+    public function getHostName();
+
     /**
      * Determine if the request should be passed without going through the firewall.
      *

src/Extensions/Test/Extension.php

@@ -74,6 +74,17 @@ public function isWhitelisted($whitelistRules, $request)
         return false;
     }
 
+    /**
+     * Get the hostname of the environment.
+     * This is only used for open redirect vulnerabilities.
+     * 
+     * @return string
+     */
+    public function getHostName()
+    {
+        return 'wordpress.test';
+    }
+
     /**
      * Determine if the current request is a file upload request.
      *

src/Extensions/WordPress/Extension.php

@@ -195,6 +195,17 @@ public function getIpAddress()
         return $this->core->get_ip();
     }
 
+    /**
+     * Get the hostname of the environment.
+     * This is only used for open redirect vulnerabilities.
+     * 
+     * @return string
+     */
+    public function getHostName()
+    {
+        return parse_url(home_url(), PHP_URL_HOST);
+    }
+
     /**
      * Check the custom whitelist rules defined in the backend of WordPress
      * and attempt to match it with the request.

src/Processor.php

@@ -374,6 +374,21 @@ public function matchParameterValue($match, $value)
             return $this->matchParameterValue($match['match'], $value);
         }
 
+        // If the user provided value does not match the current hostname.
+        if ($matchType == 'hostname' && is_string($value)) {
+            if (empty($value)) {
+                return false;
+            }
+
+            // We only care about the hostname.
+            $host = parse_url($value, PHP_URL_HOST);
+            if (!$host) {
+                return true;
+            }
+
+            return $host !== $this->extension->getHostName();
+        }
+
         // If any of the uploaded files in the parameter matches a sub-match condition.
         if ($matchType == 'file_contains' && isset($match['match'])) {
             // Extract all tmp_names.

tests/FirewallTest.php

@@ -226,5 +226,24 @@ public function testRules()
         );
         $this->assertFalse($this->processor->launch(false));
         $this->alterPayload();
+
+        // Detect an open redirect vulnerability
+        $this->setUpFirewallProcessor([$this->rules[15]]);
+        $this->alterPayload(
+            ['GET' => [
+            'tourl' => 'https://wordpress.test/my-location/'
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[15]]);
+        $this->alterPayload(
+            ['GET' => [
+            'tourl' => 'https://badsite.com'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
     }
 }

tests/data/Rules.json

@@ -118,5 +118,13 @@
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null
+    },
+    {
+        "id":16,
+        "title":"Determine if a URL parameter contains an open redirect vulnerability.",
+        "rules":[{"parameter":"get.tourl","match":{"type":"hostname"}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
     }
 ]