Open Redirect Vulnerability

Open Redirect Vulnerability

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Scope

Technical Impact: Bypass Protection Mechanism; Gain Privileges or Assume Identity; Other

  • Access Control

Technical Impact: Bypass Protection Mechanism; Gain Privileges or Assume Identity

The user may be redirected to an untrusted page that contains malware which may then compromise the user’s machine. This will expose the user to extensive risk and the user’s interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.

  • Access Control Confidentiality Other The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site.

Remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs. Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list. If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL. The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect. The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.

Examples

Github Resources

Reference