Unvalidated Redirects and Forwards

Transcript

1. (Open Redirection) [email protected]

2. Also know as: • Client Side URL Redirection • Open

   Redirection

3.  It is an input validation flaw.  Application accepts

   an user input without validating.  Leads to an external URL.  Platform affected: All web platforms. “An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation”

4. Could be used to:  Phishing attack  Redirect a

   victim to the malicious page  Misrepresent an organization or company  Bypass the application’s access control checks / Forwards to access unauthorized pages or functions
5. None

6. "I plan to lose atleast 40 pounds with your diet

   program! hxxx://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&sv=0a5 c407b&ip=5f19241a&id=94E847AC91F239E2B20A30571533AFB0 &q=How+long+did+Mark+Twain+insist+his+life+story+go+unpub lished%3F&p=1&qs=3045&ac=254&g=1a39vz0X%y%zxm&en=qo td&io=0&ep=&eo=&b=a001&bc=&br=&tp=171&ec=1&pt=hxxx://t umblrhealth.me&ex=&url=&u=hxxx://tumblrhealth.me …"
7. None

8. http://www.pcworld.com.vn/adserver.aspx?adid=550&ciid=322&cid=0&pid=ho&t=635 621164583191563&url=http%3A%2F%2Fsangbui.com%2F

9. Open Redirection + Social engineering

10. Redirect External: http://www.abc.com?redirect=http://www.attacker.com  The victim that visits abc.com will

    be automatically redirected to www.attacker.com  Forwards (Transfers) send the request to a new page in the same application .. which could bypass authentication or authorization. http://www.abc.com/submit.php?fwd=admincp.php Redirect Internal:

11.  https://accounts.google.com/SignOutOptions?hl=en&co ntinue=https://www.google.com/%3Fgws_rd%3Dssl  https://accounts.google.com/SignOutOptions?hl=en&co ntinue=https://www.abc.com/%3Fgws_rd%3Dssl

12. None

13.  www.aotrungnien.com/redirect?url=http%3A%2F%2Fsangbui.com%2F  www.applesfera.com/redirect?url=http%3A%2F%2Fsangbui.com%2F  http://nghean.vnpt.vn/modules/banner/click.php?id=59&url=http%3A%2F %2Fsangbui.com  http://www.pcworld.com.vn/adserver.aspx?adid=550&ciid=322&cid=0&pid =ho&t=635621164583191563&url=http%3A%2F%2Fsangbui.com%2F

14.  Avoid using redirects and forwards  Unavoidable then it

    should be done without involving user parameters in redirecting the destination  Valid user input

15.  Black Box testing  Gray Box testing  Tools

16.  https://www.owasp.org/index.php/Open_redirect  https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet  https://www.owasp.org/index.php/Testing_for_Client_Side_URL_Redirect_(OTG-CLIENT-004)  https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html  https://appsec-labs.com/portal/case-study-open-redirect/