Open Redirection - TairinySimeonato/WebAuditing GitHub Wiki
What is it?
Open Redirection happens when an attacker redirects a user to an untrusted site when the user visits a link located on a trusted page.
The attack
An attacker can modify the untrusted URL input to an attacker controlled website, then the attacker can phish users to his/her webpage and steal user credentials, for example.
Since the URL looks legit (it starts with the trusted website),it is easier to phish users because of the trustworthy appearance. Unvalidated redirects can also lead to an attacker craft a URL that can pass the trusted site access control check and then forward the attacker to privileged functions that otherwise the attacker would not have the access.
Example
www.ebay.comaccepts attacker to insert the malicious urlwww.fakeebay.comand redirects user towww.fakeebay.com.- When user sees the link, it looks like
www.ebay.com/redirect=www.fakeebay.com. - User thinks the ebay page is being accessed, since fakeebay website looks identical to ebay.com, when in fact user is performing action on attacker website
www.fakeebay.com.
How does a website redirect a user?
- Location header
- JavaScript code
Prevention
- Avoid the use of redirects and forwards.
- Do not allow the url as user input for the destination or have a method to validate URL.
- Make sure that the user supplied input is valid, appropriate for the application, and is authorized for the user.
- Make any destination input be mapped to a value, rather than inserting in the URL and that server side code translate this value to the target URL.
- Sanitize input by creating a list of trusted URL's (whitelist).
- Force all redirects to first go through a page telling users that they are being redirect to another page, and make them click a link to confirm the action.
- Ensure that the URL is being explicitly declared in the code and cannot be modified by an attacker.
Safe Redirects
Java
response.sendRedirect("http://www.mysite.com");
PHP
<?php
/* Redirect browser */
header("Location: http://www.mysite.com");
?>
ASP.NET
Response.Redirect("~/folder/Login.aspx")
Sources
- https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
- https://portswigger.net/kb/issues/00500100_open-redirection-reflected
- https://www.youtube.com/watch?v=-nOih7rolX8
- https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md
- https://dzone.com/articles/what-is-an-open-redirection-vulnerability-and-how