Open URL Redirection is a type of vulnerability where an application redirects users to any location provided in its URL. More information on this particular attack can be found here. In short, attackers sent crafted a URL of the form that redirected victims to a website that has a victim unknowingly download and execute malware. Using payloads of the form ?next=javascript: can sometimes be used to perform DOM-based XSS.Īn Open Redirect vulnerability was exploited in the United States Department of Health and Human Services' Departmental Contracts Information System during the novel coronavirus disease (COVID-19) pandemic. A payload that often increases the impact of vulnerabilities of this type is using JavaScript as the payload's protocol. For example, if the payload looks like ?next=/dashboard and we want to redirect to, we can try the URL with protocol included ( ?next=), just the host ( ?next= / ?next=/), URL without protocol ( ?next=//), or even URL-encoded versions of any of the previous examples ( ?next=%2F% et al.).Īnother creative approach is to try different protocols in the payload! Some browsers support FTP and IPFS URLs, so we could plug those kinds of URLs in the payload and observe effects. Very! If we wanna get creative with the redirection payload, we can change the form of the URL. They could take so many forms that you could even use a wordlist and fuzz for valid redirection parameters to test for openness. In my experience, I've seen next, goto, redirect, and redirect_to. ![]() These redirect parameters vary across web applications and frameworks. In this case, our target's visit to will cause our exploitation of the aforementioned CVE to take place, allowing us to run code on the target's machine and likely take control of it. In theory, this could be achieved by using the social engineering to have our target visit /login?next= and log in. For example, we can utilize social engineering and a CVE that lets us break out of the browser sandbox and execute code on the host computer to take control of a target's device. If, after logging in, we're redirected to, our target is definitely susceptible to Open URL Redirection.Īs with many high-impact attacks, we can chain our exploitation of this vulnerability with other exploits to achieve certain effects on a target or targets. With that being said, what happens if we instead set the destination to ? To see that, we can visit /login?next=. This is because the target doesn't perform adequate verification or sanitization of the values of the next parameter. We established earlier that URLs that contain the location to which we'll be redirected are potentially vulnerable to Open URL Redirection. That URL communicates that, once you've logged in, you'll be redirected to the dashboard page, which looks like /dashboard. Sometimes when you're at a login page for some website like, you might see the URL looks like /login?next=/dashboard. If we can have it redirect us to any website we'd like, we might be able to use this to attack users of the website. What happens when we set the location to which a user will be redirected to a completely different website? If the application still redirects us to the website, its URL redirection logic could be too "open". ![]() This is often seen during authentication, where a user is registering for or logging into an application, and the application wishes to redirect the user to another page once they've been authenticated. URL Redirection is a method used by web applications to manage a user's navigation throughout the app. I was motivated to write this, because I've lately been discovering these vulnerabilities in the wild, and I want to increase developers', users', and security researchers' awareness of them. In this post, we'll cover what Open URL Redirection Vulnerabilties are, how to exploit them, and how to prevent them. Do NOT attack entities that did not provide consent beforehand. ![]() NOTE: The content in this post is solely for educational purposes.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |