Redirects are used within Application to navigate the user from one part of the site to another or to a totally different site.
An open redirect is an issue that manipulates the URL parameter to redirect the user to an Attackers malicious site. The main cause of this is because there is no validation in-place to verify the URL the user is being redirected too.
The user may be redirected to an untrusted page that contains malware which may then compromise the user’s machine. This will expose the user to extensive risk and the user’s interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.
The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site.
An attacker could supply a user with the following links: http://example.com/example.php?url=http://malicious.example.com
The user may assume that the link is safe since the URL starts with their trusted site name. However, the user will then be redirected to the attacker’s web site (attacker.com) which the attacker may have made to appear very similar to trusted site. The user may then unwittingly enter credentials into the attacker’s web page and compromise their bank account.
OWASP Top 10
Unvalidated Redirects and Forwards was in the OWASP Top 10 in 2010 and remains in the OWASP Top 10 for 2013.
Vulnerable URL Parameter: adurl
By clicking the Advert within the St. Cloud Times the user is sent to that Advert page. It is during this process that the adurl parameter appears.
Using OWASPS ZAP Proxy I captured this Request when the advert is selected. From the below image you will see that the adurl parameter is linking to: http://stcloud.edinarealty.com/Listing/ProcessJumpSearch.aspx%3FJumpSearch%3D9110252%26Page%3D2
By changing this to https://dunnesec.wordpress.com/ we can demonstrate how a malicious attacker can use this to direct the Victim unwillingly to a malicious site.
Redirected to the Attackers given site.
To avoid open redirects, it is necessary to code the redirecting pages in a way that the address is validated before redirecting to it, given the User the option to go forward to the Site or Return to the previous site.http://googleads.g.doubleclick.net/aclk?sa=L&ai=CPuKWv-JYU6DwIOvX0AGiw4DoBOD4ysIEAAAQASCotLwVUJXoysYFYMnu8Yq0pNgPyAEC4AIAqAMByAOdBKoEiwFP0IARddk9PyJ_huH9N6LqTNschh8mnACoEoXlep-RCKAFOkg7lvWh8sxxaOA4RW_A-B4Rusq5_WKzZlbQAcmFo7WrZsfJlfO_5iOWvlgHGE2A2FpCkX1y209JBDMP5qmt5koL1w32eZam2ihkOu-_FCdaHP7oHwnhjbRyw8Htc2Shlrol2hfMVq0_4AQBoAYU&num=0&sig=AOD64_3MQL6udZKpmgOULY5pDOsF2utGNA&client=ca-pub-7521520845913646&adurl=http://stcloud.edinarealty.com/Listing/ProcessJumpSearch.aspx%3FJumpSearch%3D9110252%26Page%3D2&nm=4&nx=32&ny=-15&mb=1&clkt=112&jca=6452
Original URL Value
Malicious Test Request
Attackers Malicious URL Value
Facebook Let Down!!
I thought I was onto something with a Facebook vulnerability but found out that this was already reported in 2011 by Vicente Aguilera Diaz. Results of my attempt is below. It show that Facebook has a warning in place to notify the User that the redirect is in-place and gives them the option to proceed or not.
Vincent Noted in July 21, 2011: Facebook answers the intentional functionality provided by the “l.php” endpoint is required, and Facebook believe the security benefits generated by this functionality outweigh the perceived risks.
AltoroMutual Test Example
AltoroMutual has a redirect issue that can be used for test purposes. Although it the browser does give a warning that the hyperlink is to a third party website. If the user clicked OK thinking it was part of the trusted site then they would get redirected to this.
If they click NO then that’s it 😦
- Where possible do not use users’ input for URLs.
- If you definitely need dynamic URLs, Make a list of valid accepted URLs and do not accept other URLs.
- Ensure that you only accept URLs which are located on accepted domains.
The bug is based on a misuse of srcdoc attribute of IFRAME tag, included in HTML5 definition.
Identified by ElevenPaths.
Chrome has now been Fixed but Safari is still vulnerable.
Test URL of how the Attack may look like:
How the IFrame parameter handles the user input data.
XSS Payload inputted by the user and stored withing the iframe src=””srcdoc=”XSS Payload”>
XSS confirmed in browser.
The change password form within a larger Supplements website that does not have the added security feature that allows the user to add their existing Password. At the moment the user can simple add the new password without knowing the existing password.
If a user leaves their computer unattended for a few minutes (while logged in), we don’t want someone else to be able to walk by and quickly change their password. For one thing, this would allow the attacker to change the associated email address, too, and now the legitimate owner is never getting his/her account back.
Something you know (e.g., a password or pass phrase), and/or something that identifies you (e.g., a user name, a fingerprint, voiceprint, retina print). Something you know and something that identifies you are presented for authentication.
Add “current password” field to “change password form”
Reply Regarding This Issue
The reply was within half an hour and was very friendly. Even rewarding me with discount points to the site which I was very happy with.
An Analysis of Automated Web Application Scanning Suites
This document is an analysis of the performance of five common web application scanners, which were put against three different types of web applications. The document will provide as an evaluation of the web application scanner suites from installation to the completion of the scan, and will rate the suites on multiple criteria.
Acunetix, Appscan, BURP, Nexpose& NTO Spider.
Study carried out by James Ball, Alexander Heid, Rod Soto : HackMiami
Overall Details Regarding Each Product
Details show that overall the product AppScan is the most costly with Burp Proxy being the cheapest.
Ongoing cyclical web application vulnerability assessments are a critical part of the software development lifecycle (SDLC) for any organization. The harried release cycles of web applications and scarce availability of skilled security engineers to conduct thorough manual assessments makes the market for automated web application vulnerability scanner suites one that will continue to grow. As more products come to market, and more exploitable vulnerabilities are identified, the choices will continue to grow. The end consumer will almost always be faced with picking a product that meets their strictest requirement, the budget. In terms of overall value, it is the conclusion of the researchers conducting the HackMIami 2013 Hackers Conference PwnOff that Portswigger BURP and Rapid7 Nexpose/MetasploitPro currently provide the most value to the independent security consultant in terms of discovered vulnerabilities, ease of use, licensing flexibility, and rage of functionality