Open Redirect Vulnerabilities

The magic of the web is that we can interact not only just with one application, but with a lot of applications, sharing data between all of them. For example, you can fill in a form, which is shared with other applications, to create a ticket, and all future forms will fill in automatically just using the information that you entered before.

To do that, applications commonly use redirection. There are different types of redirects, but the most common are the following:

  • HTTP 300: Multiple choices
  • HTTP 301: Moved permanently
  • HTTP 302: Found
  • HTTP 303: See other
  • HTTP 307: Temporary redirect

The redirections could be used with a GET request to move the user from one site to another, which means using the URL and passing the destination as a parameter. Alternatively, they could be defined using the headers in the website or through JavaScript code.

If we use a parameter to send it to another application, with the same or different domains, it will look like this:

www.testsite.com/process.php?r=admin

And after that, all the data sent by the user will be sent to the new application. If this is not clear, take a look at the following example.

In the preceding example, the application is using the r parameter to store a string to control the redirection. This redirection could have different results, depending on the business logic implemented in the application:

www.testsite.com/admin 
www.admin.com 
admin.testsite.com

As you can see, there is no single rule about how the redirection works, because the r parameter is a variable in this case. So, what happens if this parameter does not have any input validation? See the following code:

www.testsite.com/process.php?r=malicious.com

The user is redirected to www.malicious.com.

As you can see, these simple basics are needed to understand the logic in order to exploit and detect correctly. We will see some common examples of how they affect an application's security.

It is also possible to use meta tags to redirect the users to another site:

<meta http-equiv="Refresh" content="0; url=http://www.newsite.com/" >

And finally, for redirections using JavaScript, we can use different functions to do that; here are the main functions for doing so:

  • window.open('http://www.testsite.com')
  • location.replace('http://www.testsite.com')
  • location.assign('http://www.testsite.com')
  • location.href='http://www.testsite.com'
  • location='http://www.testsite.com'
  • location.port='8080'
  • document.URL()
  • URL

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.168.152