Open Redirect: Shibboleth SSO Logout Return Parameter

calendar Mar 18, 2025  ·
Share on: linkedin copy

Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence.

Sublime rule (View on GitHub)

 1name: "Open Redirect: Shibboleth SSO Logout Return Parameter"
 2description: "Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // uses shibboleth.sso directly within the path
 9          (
10            strings.icontains(.href_url.path, '/Shibboleth.sso/Logout')
11            and strings.icontains(.href_url.path, 'return=')
12          )
13          // or url encoded within the query_params
14          or (
15            strings.icontains(.href_url.query_params, 'Shibboleth.sso%2fLogout')
16            and strings.icontains(.href_url.query_params, "return%3d")
17          )
18  )
19  
20  and profile.by_sender_email().prevalence != "common"  
21
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Open redirect"
26  - "Evasion"
27detection_methods:
28  - "HTML analysis"
29  - "URL analysis"
30  - "Sender analysis"
31id: "374b7517-bb48-5fed-885c-16d27f561e55"
to-top