Open Redirect (OR) - Ravi-Upadhyay/cyber-security-playground GitHub Wiki

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way

---

Index

• Explanation
• Risk Matrix
• Exploitations
• Fixes
  • Code Snippets
• Resources Over Web
• To do list

---

Explanation

Classification of Redirections

• HTTP Response
  • 300 Multiple Choice
  • 301 Moved Permanently
  • 302 Found
  • 303 See Other
  • 307 Temporary Redirect
• HTTP Location Header (Location: http://example.org)
• Refresh
• Meta Redirects ()
• JavaScript Redirects
  • window.open('http://0x.lv')
  • location.replace('http://0x.lv')
  • location.assign('http://0x.lv')
  • location.href='http://0x.lv/'
  • location='http://0x.v/'
  • location.port='8080' //sorta
  • document.URL() //IE only
• Other methods
  • Flash
  • PDFs
  • Java
  • Special URI handlers

Redirections in HTTP

In HTTP, redirection is triggered by a server sending a special redirect response to a request. Redirect responses have status codes that start with 3, and a Location header holding the URL to redirect to. For more details - Here

---

Risk Matrix

---

Exploitations

• An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.
• This behavior can be leveraged to facilitate phishing attacks against users of the application.
• The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
• Open Redirect to XSS: https://www.originalwebsite.com/login?redirect=javascript:alert(document.cookie)

---

Fixes

• If possible, applications should avoid incorporating user-controllable data into redirection targets.
• Do not try to write a parser for URL to check if every URL is proper
  • Not feasible, to blacklist all the possible URLs
  • There are different ways of writing the URLs, there are also URL shortener services.
• Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

Thumb Rule: URLs are evil, URL - Unfortunate Redirect Launchers

Code Snippets

// Experiment Solution - Will it work if I use this at backend
String newPath = request.getParameter("redirect");
response.setHeader("Location", "https://originalwebsite.com" + newPath);

// Runtime - (user input = .attacker.com)
// https://originalwebsite.com/login?redirect=.attacker.com
// The complete URL could be 
response.setHeader("Location", "https://originalwebsite.com.attacker.com");

// Which means we will be redirected to (302 Redirect) - attacker.com domain

---

Resources Over Web

• OWASP - Unvalidated Redirects
• PortSwigger - Open Redirection
• A PDF Document - For more details
• Redirections in HTTP - MDN

---

To do list

[] Explore the variations of Open Redirect.