Open Redirect
| Content |
|---|
| 📚 What Is Open Redirect ? |
| 🤔 Why Open Redirect Happen ? |
| 💥 Exploitation |
| ⚔ Impact |
| 🔎 How To Find |
| 🛺 Automate |
| 🛠 Tools |
| ⚙ Remediation |
| 📕 Referance |
| 🔬 Labs |
📚 What Is Open Redirect ?
Open redirect is basically what the name says, Openly allow Redirects to any website.
Open redirect refers to an attack method in which the attacker moves the user to the intended domain by using the redirect function based on the user’s input in the web service.
Ordinary people trust the domain when they see the URL of the web service, so they trust and click the link in the domain. It can be used sufficiently for XSS or account hijacking.
A basic URL is structured in a way as:
🤔 Why Open Redirect Happen ?
This happens due to insufficient redirection checks in the back-end, which means the server is not properly checking if the redirect URL is in their whitelist or not.
when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.
Let’s look at a simple example of an web-application written in PHP which is vulnerable to “OR”:
1
2
3
4
5
<?php
header('Location: ' . $_GET['url']);
die(); // this is sometimes missing which can leads to an authentication bypass
?>
Enter the value ot url parameter https://evil.com After submitting the following HTTP-request:
1
2
GET vulnerable.php?url=https://evil.com HTTP/1.1
Host: victim.com
The redirection can happen on the server-side or the client side.
Server-Side: Request to redirect is sent to the server, then the server notifies the browser to redirect to the url specified via the response.
Client-Side: Browser is notified to redirect to the url specified directly without the intervention of the server.
Redirect status code
| status code | Msg |
|---|---|
| 301 | Multiple Choices |
| 302 | Found |
| 303 | See Other |
| 304 | Not Modified |
| 305 | Use Proxy |
| 307 | Temporary Redirect |
| 308 | Permanent Redirec |
💥 Exploitation
Let’s say there’s a well known website - https://famous-website.tld/. And let’s assume that there’s a link like :
https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account After signing up you get redirected to your account, this redirection is specified by the redirectUrl parameter in the URL. What happens if we change the famous-website.tld/account to evil-website.tld?
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account By visiting this url, if we get redirected to evil-website.tld after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
Phishing
Basically open redirect can be used for phishing. Because users only view and access links from trusted domains, they can steal information by moving them to a disguised page that tries to steal users’ information through redirect.
XSS Open redirect usually proceeds redirect in Location header or js stage.
1
2
GET /redirect?url=javascript:alert(45) HTTP/1.1
GET /redirect?url=data:(45) HTTP/1.1
Chaining with SSRF
⚔ Impact
By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials
🔎 How To Find
- Burp
- Give Some Attention
- Look at the code for every place that utilizes a redirect. If there is no kind of whitelist for the URL being redirected, the site is probably vulnerable.
- Crawl the site and save all pages that generate a redirect. If a parameter is changed, is the URL redirected to that as well? Again, if no whitelist seems to be implemented here the site is most likely vulnerable.
- Manually looking around and investigating all parameters that can be suspected to have something to do with redirects may feel like a waste of time, but can actually generate better results than one might expect.
- Some Magic tricks
- Visit every endpoint of the target to find these “redirect” parameters.
- View your proxy history, you might find something. Make sure to use filters.
- Bruteforcing helps too.
- You might uncover many endpoints by reading javascript code.
- Google is your friend, example query: inurl:redirectUrl=http site:target.com
- Understand and analyze where the redirection is needed in the target application like redirecting to dashboard after login or something like that.
- Find open redirect with gf:
1
2
echo "http://tesla.com
" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew
ref @ofjaaah Or you can be creative by using your tools
🛠 Tools
⚙ Remediation
There are a few possible ways to remediate this issue.
- Try to avoid redirects altogether. In most cases, they are not needed.
- If a redirect is necessary, do not trust user input for its destination.
- Map the destination input to a value that the server then translates to the original value before doing the redirect. This prevents the attacker from changing it.
- Have a whitelist of URLs – this can be done with regex if necessary. Be careful with this as it is easy to make mistakes without realizing.
📕 Referance
Portswigger OWASP PayloadsAllTheThings Hacktricks Hackingarticles Hahwul S0cket7 Detectify
🔬 Labs
OWASP Broken Web Applications Project Install this Machine and will have a lot of Labs like DVWA, BWAPP and Webgoat etc