Print

Unvalidated Redirects and Forwards

Introduction

  • The Unvalidated Redirects and Forwards attacks happen when a web application accepts untrusted input to redirect a request to a URL that would exploit the victim users. 
  • The Unvalidated Redirects and Forwards attacks happen when an attacker exploits the redirection functionality of a web application by crafting a malicious URL and making the URL act as a legitimate parameter (i.e., querystring) for the application to forwards the user to.
  • Unvalidated Redirects and Forwards attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions.
  • Example: The victim http://www.vulnerablesite.com/redirect.aspx?url=amazon.com is being modified to  http://www.vulnerablesite.com/redirect.aspx?url=hacker.com, and then the web application redirect the victim to the hacker site by Response.Redirect(Request.QueryString("hacker.com")).
  • Example: An attacker could send an HTML formatted e-mail that contains a fake log in for users to be redirected to a phishing site:
    <a href="http://www.realbank.com/redirect?url=http://www.attckerbank.com">Click here to log in</a>
  • Example: Linkedin - security issue - Unvalidated Redirects and Forwards. In a new browser tab, submit this request: http://www.linkedin.com/redir/redirect?url=http%3A%2F%2Fgoo%2Egl%2FpT2pbf&urlhash=114z&trk=prof-project-name-link

OWASP Risk Profile

Direct-Object-Reference
source: OWASP

Defense measures

  • OWASP Scan:
    • Review the code for all uses of redirect or forward. For each use, identify if the target URL is included in any parameter values. If so, if the target URL isnt validated against a whitelist, you are vulnerable.
    • Also, spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.
    • If code is unavailable, check all parameters to see if they look like part of a redirect or forward URL destination and test those that do.
  • OWASP Defense:
    • Avoid using redirects or forwards.
    • Dont use user input to determine the destination.
    • If destination parameters cant be avoided, ensure that the supplied value is valid and authorized for the user.