Open redirect: Shibboleth SSO Logout Return Parameter

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence.

Sublime rule (View on GitHub)

 1name: "Open redirect: Shibboleth SSO Logout Return Parameter"
 2description: "Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // uses shibboleth.sso directly within the path
 9          (
10            strings.icontains(.href_url.path, '/Shibboleth.sso/Logout')
11            and strings.icontains(.href_url.path, 'return=')
12          )
13          // or url encoded within the query_params
14          or (
15            strings.icontains(.href_url.query_params, 'Shibboleth.sso%2fLogout')
16            and strings.icontains(.href_url.query_params, "return%3d")
17          )
18  )
19  and profile.by_sender_email().prevalence != "common"  
20attack_types:
21  - "Credential Phishing"
22tactics_and_techniques:
23  - "Open redirect"
24  - "Evasion"
25detection_methods:
26  - "HTML analysis"
27  - "URL analysis"
28  - "Sender analysis"
29id: "374b7517-bb48-5fed-885c-16d27f561e55"
to-top