© Sanjib Sinha 2019
S. SinhaBug Bounty Hunting for Web Securityhttps://doi.org/10.1007/978-1-4842-5391-5_5

5. Header Injection and URL Redirection

Sanjib Sinha1 
(1)
Howrah, West Bengal, India
 

Header injection and URL redirection are possible when a web application accepts unvalidated user inputs. This untrusted data may redirect the page to a malicious web site.

Introducing Header Injection and URL Redirection

Consider some simple PHP code:

//code 5.1
<?php
/* Redirecting browser */
header("Location: https://www.sanjib.site");
?>

The preceding PHP file, once clicked, takes us to the https://sanjib.site.

Now, consider a case when a developer writes the same code this way:

//code 5.2
<?php
/* Taking untrusted input from a form and Redirecting browser */
$RedirectingURL = $_GET['url'];
header("Location: " . $RedirectingURL);
?>

In the preceding code, the user input is displayed on the header. One can easily manipulate this query string and redirect the location to some malicious sites, which an attacker can control.

Modifying the untrusted URL input to a malicious site, an attacker may successfully launch an attack stealing user credentials. Therefore, as a penetration tester, you need to test whether your client’s application has URL redirection vulnerabilities or not: whether that application leads user input into the target of a redirection in an unsafe way or not.

If the application has such vulnerabilities, the attacker can construct a URL within the application that causes a redirection to a malicious site and users, even if verified, cannot notice the subsequent redirection to another site.

We can try to understand the whole situation better by using a diagram (Figure 5-1).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig1_HTML.jpg
Figure 5-1

How a user is redirected to a malicious site

When the URL is being explicitly declared in the code, it is safe (code 5.1). We can also consider Java code written in a safe way:

//code 5.3
response.sendRedirect("https://www.sanjib.site");

If you change this code to this way, it becomes vulnerable, because it receives the URL from the parameter named url (GET or POST) and redirects to that URL:

//code 5.4
/* here string url accepts user input */
response.sendRedirect(request.getParameter("url"));

This vulnerability could be turned into a phishing attack by redirecting users to a malicious site by injecting the header. How it can be done we will see in the next section. At this point we should also remember the importance of OAth 2.0 access token leak. Why is it important? First, web applications usually want to use the service of another application; instead of using your password, they should use a protocol called OAuth. However, you should be careful about how another application stores or uses your data. Suppose for logging into another application you use your Facebook credentials. Open access authorization sometimes invites danger when token injection takes place.

Cross-Site Scripting Through Header Injection

So far we have learned that open redirections or URL redirections are potential vulnerabilities for any web application. Under the influence of untrusted user input data, any web application may fall into this phishing trap. In such cases, a redirection is performed to a location specified in user-supplied data.

We will demonstrate how we can use Burp Suite’s Proxy, Spider, and Repeater tools to check for open redirections in a moment. We are going to test an intentionally vulnerable web application ZAP-WAVE; it is designed for evaluating security tools.

This application is available in the OWASP broken web application project. We have already installed it in our virtual lab. First, run the "owaspbwa" application. In that application, you will get a link to ZAP-WAVE. Click and open it (Figure 5-2).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig2_HTML.jpg
Figure 5-2

ZAP-WAVE application in the OWASP broken web application project

We have already configured our Burp Suite. Let us ensure that the Burp Proxy intercept is on. Now we visit the ZAP-WAVE page and the traffic is reflected on our Burp Proxy (Figure 5-3).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig3_HTML.jpg
Figure 5-3

We have intercepted the ZAP-WAVE traffic on the Burp Suite.

We get this output on our Burp screen:

//code 5.5
GET /zapwave/ HTTP/1.1
Host: 192.168.2.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.3/
Cookie: JSESSIONID=908984390DB986CA443B6D455864E077; PHPSESSID=6iccf8niu6j4a5sq27c9k5a4a2; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

Let me clarify how the request header is working here. On the top, there is HOST. Here, it is 192.168.2.3. It is the desired host that handles the request. Next comes the part of acceptance. The Accept part specifies that all MIME types are accepted by the client; for web services, the JSON or XML outputs are specified. The next step handles the cookie. It is a very important part of any request. The browser passes the cookie data to the server.

In Figure 5-3 we can see the Proxy ➤ Intercept tab shows the intercepted request. Now we will right-click our mouse and send this request to the Spider tool. You don’t have to select any item or line, you can click anywhere on the context and choose the Spider tool (Figure 5-4).

In the pop-up menu bar it will ask to add this term to the scope of your Spider tool and once you do it, it will add the request to the scope.
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig4_HTML.jpg
Figure 5-4

Sending the intercepted data to the Spider tool

The Spider tool spiders the web application. The Burp Target tool including the Spider tool contains detailed information about your target applications and lets you drive the process of testing for vulnerabilities. Here we are doing the same thing. Burp Proxy is an intercepting web proxy that operates as a man-in-the-middle between the end browser and the target web application.

It will also populate the Site Map tool (Figure 5-5).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig5_HTML.jpg
Figure 5-5

The Spider status on Burp Suite

If you go to the Target tab and click “Site map,” you will see all the spidered view of the ZAP-WAVE application now.

However, we will use our site map filter here for one particular purpose. We will search for any redirection codes or forwards used by the Site Map. When you click the Filter bar to bring up the options menu, you will find on your right-hand side “Filter by status code” options, under which you will select only 3xx status codes. These status codes indicate that a redirection is needed to fulfill a request (Figure 5-6).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig6_HTML.jpg
Figure 5-6

Selecting 3xx class in Filter by status code

In the site map table, you will now find only the HTTP requests of the 3xx class (Figure 5-7).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig7_HTML.jpg
Figure 5-7

HTTP requests of 3xx class

As you see, there are two HTTP requests that belong to the 3xx class. We can now manually step through these requests to find a URL where we have a request parameter.

The output of the first URL looks like this:

//code 5.6
POST /zapwave/active/redirect/redirect-form-basic.jsp HTTP/1.1
Host: 192.168.2.3
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://192.168.2.3/zapwave/active/redirect/redirect-form-basic.jsp
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Cookie: JSESSIONID=B110B0C8FB43F7379167CF872FA700F7; zap-info-cookie-no-http-only=test; zap-xss-cookie-basic=Peter Winter
target=redirect-index.jsp

Discovering Header Injection and URL Redirection Vulnerabilities

So far we have got two HTTP requests; between them, the first one (code 5.6) does not show any request parameter. Let us check the second (Figure 5-8).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig8_HTML.jpg
Figure 5-8

Finding a request parameter

Let us show the output so that you can see for yourself whether it shows any request parameter or not.

//code 5.7
GET /zapwave/active/redirect/redirect-url-basic.jsp?redir=redirect-index.jsp HTTP/1.1
Host: 192.168.2.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=B110B0C8FB43F7379167CF872FA700F7
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
The first line of code 5.7 goes like this:
GET /zapwave/active/redirect/redirect-url-basic.jsp?redir=redirect-index.jsp HTTP/1.1

Through that redir request parameter, we can test our URL redirection technique using Burp Suite’s Repeater tool. We are going to inject the header and show that this application has URL redirection vulnerabilities.

In other words, we can change the parameter and try to investigate whether URL redirection is possible or not. To investigate any further, we should send it to the Repeater tool. Just right-click on the request in the Site map table and click “Send to Repeater” (Figure 5-9).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig9_HTML.jpg
Figure 5-9

Sent the HTTP request parameter to the Repeater tab

Let us first click the “Go” button to test whether the URL redirection works or not. We find that the response is OK (Figure 5-10).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig10_HTML.jpg
Figure 5-10

Testing the HTTP request in the Repeater tab

Watch the output on the right hand side:

//code 5.8
HTTP/1.1 302 Moved Temporarily
Date: Wed, 26 Jun 2019 10:15:38 GMT
Server: Apache-Coyote/1.1
Location: http://192.168.2.3/zapwave/active/redirect/redirect-index.jsp
Content-Type: text/html
SET-COOKIE: JSESSIONID=B110B0C8FB43F7379167CF872FA700F7; HttpOnly
Via: 1.1 127.0.1.1
Vary: Accept-Encoding
Content-Length: 0
Connection: close

Now, on our left side, we will try to change the value of the URL parameter to an external URL parameter such as https://sanjib.site. You can choose any different domain.

We will change the URL parameter to this:
http://192.168.2.3/zapwave/active/redirect/redirect-url-basic.jsp?redir=https://sanjib.site

First we will click “Go” to test if the URL is altered or not. It is altered, as our response output changes to this:

//code 5.9
HTTP/1.1 302 Moved Temporarily
Date: Wed, 26 Jun 2019 10:15:38 GMT
Server: Apache-Coyote/1.1
Location: https://sanjib.site
Content-Type: text/html
SET-COOKIE: JSESSIONID=B110B0C8FB43F7379167CF872FA700F7; HttpOnly
Via: 1.1 127.0.1.1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
In Figure 5-11 we can see the raw response.
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig11_HTML.jpg
Figure 5-11

The response shows that URL redirection occurs.

Now, we can open an incognito tab in our browser and paste the redirect URL (http://192.168.2.3/zapwave/active/redirect/redirect-url-basic.jsp?redir=https://sanjib.site) to test whether it opens up or not.
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig12_HTML.jpg
Figure 5-12

The URL redirection occurs successfully to https://sanjib.site

Since the URL redirection occurs successfully, as a proof of concept (PoC) we can write this in our report: “The redirector of this web application is open and it has vulnerabilities.”

Finally, the Site map tab of the Burp Suite also shows that we have successfully done the header injection and the URL redirection occurs (Figure 5-13).
../images/484370_1_En_5_Chapter/484370_1_En_5_Fig13_HTML.jpg
Figure 5-13

As a PoC, we can submit this figure also.

And in the raw request we see this output:

//code 5.10
GET /zapwave/active/redirect/redirect-url-basic.jsp?redir=https://sanjib.site HTTP/1.1
Host: 192.168.2.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=B110B0C8FB43F7379167CF872FA700F7
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Now, as a penetration tester your job will include writing the final report containing the PoC, where you can mention some points that might act as a remedy to the URL redirection vulnerabilities.

  • If possible, the application should avoid accepting the URL as user input. If it incorporates user-controllable data into redirection, it becomes automatically vulnerable.

  • Therefore, removing the redirection function is the first step. The second step is using a direct link instead of user inputs.

  • Maintaining a server-side list of all URLs is a good idea. Only these URLs are permitted for redirection.

  • If it is unavoidable for the redirection function to receive user inputs; they must be strongly validated. It means the redirection function should verify that the user-supplied URL begins with “http://yoursite.com/ before issuing the redirect.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.247.196