Open Redirect

PreviousWeb Vulnerabilities NextHTTP Parameter Pollution (HPP)

Last updated 1 year ago

Open Redirect

Content

📚 What Is Open Redirect ?

🤔 Why Open Redirect Happen ?

💥 Exploitation

⚔ Impact

🔎 How To Find

🛺 Automate

🛠 Tools

⚙ Remediation

📕 Referance

🔬 Labs

📚 What Is Open Redirect?

Open redirect is basically what the name says, Openly allow Redirects to any website.

Open redirect refers to an attack method in which the attacker moves the user to the intended domain by using the redirect function based on the user’s input in the web service.

Ordinary people trust the domain when they see the URL of the web service, so they trust and click the link in the domain. It can be used sufficiently for XSS or account hijacking.

A basic URL is structured in this way:

🤔 Why does Open Redirect Happen?

This happens due to insufficient redirection checks in the back end, which means the server is not properly checking if the redirect URL is in their whitelist or not.

when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.

Let’s look at a simple example of a web application written in PHP which is vulnerable to “OR”:

Enter the value of url parameter https://evil.com After submitting the following HTTP request:

The redirection can happen on the server side or the client side.

Server-Side: Request to redirect is sent to the server, then the server notifies the browser to redirect to the URL specified via the response.

Client-Side: Browser is notified to redirect to the URL specified directly without the intervention of the server.

Redirect status code

status code

Msg

301

Multiple Choices

302

Found

303

See Other

304

Not Modified

305

Use Proxy

307

Temporary Redirect

308

Permanent Redirec

💥 Exploitation

Let’s say there’s a well-known website - https://famous-website.tld/. And let’s assume that there’s a link like :

https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account After signing up you get redirected to your account, this redirection is specified by the redirectUrl parameter in the URL. What happens if we change the famous-website.tld/account to evil-website.tld?

https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account By visiting this URL, if we get redirected to evil-website.tld after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.

Phishing

Basically, open redirect can be used for phishing. Because users only view and access links from trusted domains, they can steal information by moving them to a disguised page that tries to steal users’ information through redirects.

XSS Open redirect usually proceeds redirect in Location header or js stage.

Chaining with SSRF

⚔ Impact

By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials

🔎 How To Find

Burp
1. Using Burp to Test for Open Redirections
Give Some Attention
1. Look at the code for every place that utilizes a redirect. If there is no kind of whitelist for the URL being redirected, the site is probably vulnerable.
2. Crawl the site and save all pages that generate a redirect. If a parameter is changed, is the URL redirected to that as well? Again, if no whitelist seems to be implemented here the site is most likely vulnerable.
3. Manually looking around and investigating all parameters that can be suspected to have something to do with redirects may feel like a waste of time, but can actually generate better results than one might expect.
Some Magic tricks
1. Visit every endpoint of the target to find these “redirect” parameters.
2. View your proxy history, you might find something. Make sure to use filters.
3. Bruteforcing helps too.
4. You might uncover many endpoints by reading javascript code.
5. Google is your friend, For example, query: inurl:redirectUrl=http site:target.com
6. Understand and analyze where the redirection is needed in the target application like redirecting to the dashboard after login or something like that.
Find open redirect with gf:

ref @ofjaaah Or you can be creative by using your tools

🛠 Tools

⚙ Remediation

There are a few possible ways to remediate this issue.

try to avoid redirects altogether. In most cases, they are not needed.
If a redirect is necessary, do not trust user input for its destination.
Map the destination input to a value that the server then translates to the original value before doing the redirect. This prevents the attacker from changing it.
Have a whitelist of URLs – this can be done with Regex if necessary. Be careful with this as it is easy to make mistakes without realizing it.

📕 Reference

Portswigger OWASP PayloadsAllTheThings Hacktricks Hackingarticles Hahwul S0cket7 Detectify

🔬 Labs

OWASP Broken Web Applications Project: Install this Machine and will have a lot of Labs like DVWA, BWAPP, Webgoat, etc

PreviousWeb Vulnerabilities NextHTTP Parameter Pollution (HPP)

Last updated 1 year ago

Open Redirect

Content

📚 What Is Open Redirect ?

🤔 Why Open Redirect Happen ?

💥 Exploitation

⚔ Impact

🔎 How To Find

🛺 Automate

🛠 Tools

⚙ Remediation

📕 Referance

🔬 Labs

📚 What Is Open Redirect?

Open redirect is basically what the name says, Openly allow Redirects to any website.

Open redirect refers to an attack method in which the attacker moves the user to the intended domain by using the redirect function based on the user’s input in the web service.

Ordinary people trust the domain when they see the URL of the web service, so they trust and click the link in the domain. It can be used sufficiently for XSS or account hijacking.

A basic URL is structured in this way:

🤔 Why does Open Redirect Happen?

This happens due to insufficient redirection checks in the back end, which means the server is not properly checking if the redirect URL is in their whitelist or not.

when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.

Let’s look at a simple example of a web application written in PHP which is vulnerable to “OR”:

Enter the value of url parameter https://evil.com After submitting the following HTTP request:

The redirection can happen on the server side or the client side.

Server-Side: Request to redirect is sent to the server, then the server notifies the browser to redirect to the URL specified via the response.

Client-Side: Browser is notified to redirect to the URL specified directly without the intervention of the server.

Redirect status code

status code

Msg

301

Multiple Choices

302

Found

303

See Other

304

Not Modified

305

Use Proxy

307

Temporary Redirect

308

Permanent Redirec

💥 Exploitation

Let’s say there’s a well-known website - https://famous-website.tld/. And let’s assume that there’s a link like :

Phishing

XSS Open redirect usually proceeds redirect in Location header or js stage.

Chaining with SSRF

⚔ Impact

By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials

🔎 How To Find

Burp
1. Using Burp to Test for Open Redirections
Give Some Attention
1. Look at the code for every place that utilizes a redirect. If there is no kind of whitelist for the URL being redirected, the site is probably vulnerable.
2. Crawl the site and save all pages that generate a redirect. If a parameter is changed, is the URL redirected to that as well? Again, if no whitelist seems to be implemented here the site is most likely vulnerable.
3. Manually looking around and investigating all parameters that can be suspected to have something to do with redirects may feel like a waste of time, but can actually generate better results than one might expect.
Some Magic tricks
1. Visit every endpoint of the target to find these “redirect” parameters.
2. View your proxy history, you might find something. Make sure to use filters.
3. Bruteforcing helps too.
4. You might uncover many endpoints by reading javascript code.
5. Google is your friend, For example, query: inurl:redirectUrl=http site:target.com
6. Understand and analyze where the redirection is needed in the target application like redirecting to the dashboard after login or something like that.
Find open redirect with gf:

ref @ofjaaah Or you can be creative by using your tools

🛠 Tools

⚙ Remediation

There are a few possible ways to remediate this issue.

try to avoid redirects altogether. In most cases, they are not needed.
If a redirect is necessary, do not trust user input for its destination.
Map the destination input to a value that the server then translates to the original value before doing the redirect. This prevents the attacker from changing it.
Have a whitelist of URLs – this can be done with Regex if necessary. Be careful with this as it is easy to make mistakes without realizing it.

📕 Reference

Portswigger OWASP PayloadsAllTheThings Hacktricks Hackingarticles Hahwul S0cket7 Detectify

🔬 Labs

OWASP Broken Web Applications Project: Install this Machine and will have a lot of Labs like DVWA, BWAPP, Webgoat, etc