open redirect
open redirect

An open redirect is when a web application or server uses a user submitted link to redirect the user to a given website or page. Even though it seems like a harmless action, to let a user decide on which page he wants to be redirected to.

How does the exploitation work?

When the user clicks on a link of a legitimate website he often won’t be suspicious if suddenly a login prompt shows up. To launch a successful phishing attack the attacker sends the victim a link, for example via email, which exploits the vulnerability on the vulnerable website.

Example:

https://abc.com/redirect.php?go=http://xyz.com/phish/

By exploiting the open redirect vulnerability on the legitimate website, the attacker is redirecting the victim to, http://xyz.com/phishwhich is a phishing page that is similar to the legit website. Once the visitor is on the attacker’s malicious website, he enters his credentials on the login form which points to a script that is controlled by the attacker. The script is typically used to save the username and the password on the attacker side.

It is also possible to redirect an otherwise careful internet user to a site hosting attacker controlled content, like a browser exploit or a page executing a CSRF attack. An open redirection vulnerability in a web application can also be used to execute a XSS payload by redirecting to javascript: URIs. Those can be used to directly execute javascript code in the context of the vulnerable website.

Example:

https://abc.com/index.php?go=javascript:alert(document.domain)

The above would show an alert window with the content from https://abc.com. However, in most modern browsers this only works when the redirection is javascript based.

How does the prevention works?

The easiest and most effective way to prevent vulnerable open redirect would be to not let the user control where your page redirects him to. If you have to redirect the user based on URLs, you should always use an ID which is internally resolved to the respective URL. You should also check that the URL begins with http:// or https:// and also invalidate all other URLs to prevent the use of malicious URIs such as javascript

LEAVE A REPLY

Please enter your comment!
Please enter your name here