I've a Liferay community edition version 7.4.3.25-ga25 and I'm trying to analyze its security using OWASP ZAP tool. I receive, among other things, an high level alert on external redirect which I do not understand. Here are the details:
I can't understand what type of attack it is this, the page does effectively a redirect but it remains on the same domain and login page, I've only more parameters on the URL bar.
I've searched the web but did non find any useful information. By the way, I do not control such Liferay behaviour, I've not made any customization to the framework which alters the login page behaviour.
Can someone help me to figure it out the problem? Thanks
I'm guessing that your response contains location: https://my.liferay.it/c/portal/login?p_l_id=20184&windowState=8378327876640720401.owasp.org since that contains the injected destination it's counting it as vuln.
I've submitted a fix to address this False Positive condition so that the checking is more restrictive.
After https://github.com/zaproxy/zap-extensions/pull/4116 is merged and the add-on re-released then you're example redirect https://my.liferay.it/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=0&p_p_state=8378327876640720401.owasp.org&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin&saveLastPath=false should no longer trigger an alert.