Open Redirection Vulnerability

An open redirect is a vulnerability that exists when a script allows redirection
to an external site by directly calling a specific URL in an unfiltered,unmanaged fashion, which could be used to redirect victims to unintended,malicious web sites.

An open redirect is a very simple vulnerability to exploit.

Consider the following example:
http://www.trustedbank.com/page.redir?target=http://www.anygovtsite.gov/

This is a well-intended URL that takes users to any other trusted site.

But this can be abused in one of the following ways:


The URL can be used for Phishing attack-

http://www.trustedbank.com/page.redir?target=http://www.duplicatesite.com/
The user visiting the trusted bank website will get redirected to the phishing site/malware site.
This can hurt the reputation of organization causing business loss.


This can be further escalated by mal-forming the link. Something like

the following can be used to cause the Denial of Service Attack:

http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=
http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=
http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=......
http://www.trustedbank.com/page.redir?target=http://anymalicioussite.com


Now although the previous link does not perform a DOS, similar trick can practically perform a DOS attack, causing the client to endlessly wait for the reply.

Prevention:

To prevent phishing attacks, or redirection to browser attackers and malware hosts, site
administrators must lock down their redirects.
Again, if site operators must absolutely use redirection, the use of intermediary pages advising
users of the redirection is imperative.
Alternatively, allow redirection only to specifically white-listed sites. For example, administrators could limit linking to external sites only when a user actually clicks on the link while on the main site, thus preventing links in e-mail or instant messages from working.

Few times before Google Image Search was susceptible to this was exploited by phishers.
Cisco web site is also susceptible to this vulnerability.

Comments

minishach said…
Really good. You made a small yet understandable article which gives any beginner a good understanding about the topic. I really like it. Thanks for your wonderful effort.

Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection