Open Redirection Vulnerability
Hello Techies,
This is my 24th blog on web application security penetration testing. In this blog I will explain about Open Redirection Vulnerability.
In my last blog, I have explained about Source Code Disclosure vulnerability in Web Application. Hope everyone liked it. If you haven’t read it yet please follow along.
What is Open Redirection Vulnerability?
From the Portswigger Definition:
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.
The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
How to Test Open Redirection Vulnerability?
1] Visit the website.
2] Intercept the request in the Burp Suite.
3] Navigate through all the web pages and capture the traffic in Burp Suite Passively. Click on param to see all URL’s having parameters.
4] Search for redirection parameters like URL, Redirect, RedirectURL, Destination, Host, dest, etc.
5] select URL having parameter and move it to the repeater.
6] change URL parameter value to evil.com. for example http:s//www.example.com/?RedirectUrl= https://www.other.com change it like example
https://www.example.com/?RedirectUrl=https://evil.com
7] Click on GO.
8] Right click request, Show response in browser copy paste in browser.
9] If redirection happen then there is a vulnerability. If not then there is not a vulnerability.
Here is the simple step by step POC I have came across:
Step 1: I have Found below endpoint while captured all the website traffic in the Burp Suite.
https://www.redacted.in/FindPage?redirectURL=SomeDomain
Step 2: Captured the request by navigating to above url and changed the redirectURL parameter value to some random domain name like, google.com
Redirection happened successfully.
Impact:
Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass.
Attacker can construct the phishing URL’s like,
https://www.redacted.in/FindPage?redirectURL=Attacker.com [Simple Redirection to Malicious Domain]
https://www.redacted.in/FindPage?redirectURL=Attacker.com/register [Asking victims for registration]
https://www.redacted.in/FindPage?redirectURL=Attacker.com/login [Asking victims for login]
https://www.redacted.in/FindPage?redirectURL=Attacker.com/malware [Downloading malwares on victim’s machine]
Recommendation:
Safe use of redirects and forwards can be done in following ways:
· Simply avoid using redirects and forwards.
· If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
· If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
· It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server-side code translate this value to the target URL.
· Sanitize input by creating a list of trusted URLs’ (lists of hosts or a regex).
· Force all redirects to first go through a page notifying users that they are going off your site and have them click a link to confirm.
Open Redirection Payload List from Github:
I hope everyone enjoying my blogs. Please do like and follow me for more reads!
Thanks!
