Open Redirection – Lisandre

Open redirection attacks occur when an application accepts untrusted input that contains an URL value without sanitizing it. This URL value could cause the web application to redirect the user to another page as, for example, a malicious page controlled by the attacker. The attacker may successfully launch a phishing scam, steal user credentials, or bypass the application’s access control checks and then forward the attacker to privileged functions that they would normally not be able to access.

Open redirections can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (when SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Testing for Client Side URL Redirect (WSTG-CLNT-04)
Open redirection (reflected) (PortSwigger)
Open redirection (stored) (PortSwigger)
Open Redirect Cheat Sheet (PentesterLand), very good cheat sheet

See labs WebSecurityAcademy (PortSwigger) – DOM-based vulnerabilities.

Use an Open Redirection to bypass the SameSite=Strict cookie attribute with Cross Site Request Forgery (CSRF).

Vulnerability description for reporting available in VulnDB (GitHub)

Redirects in URL parameters

Examples

http://domain.com/index.php?url=http://google.com
http://domain.com/index.php?url=//example.org
http://www.target.site?#redirect=www.fake-target.site

Bypass domain whitelisting

“https://victim.site.<BURP COLLABORATOR>” is a subdomain controlled by the attacker.

Use the URL validation bypass cheat sheet (PortSwigger)!

https://victim.site?redirect=https://victim.site.<BURP COLLABORATOR>

DOM-based

https://www.example.com/example#https://www.evil.com
http://www.victim.site/?#www.malicious.site

XSS in redirect parameter

http://domain.com/index.php?url=javascript:alert(1)
http://domain.com/index.php?url=data:text/html,<script>alert(document.domain)</script>
http://www.victim.site/?#javascript:alert(document.cookie)

.NET MVC (fixed in MVC 3)

Preventing Open Redirection Attacks (C#) (Microsoft), reference for .NET MVC

http://nerddinner.com/Account/LogOn?returnUrl=http://nerddiner.com/Account/LogOn

Java servlets

http://www.domain.com/function.jsp?fwd=admin.jsp

PoC

When you can control a link (<a href=””>) in a webpage, host a webpage that displays “Hello” for a few seconds and then redirects to another page.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Hello Page</title>
</head>
<body>
  <h1>Hello</h1>
  <p>Redirecting to the referring page...</p>

  <script>
    setTimeout(function() {
      // Get the referring URL
      var referringPage = document.referrer;

      // Redirect to the referring page
      if (referringPage) {
        window.location.href = referringPage;
      } else {
        // If there is no referring page, redirect to a default page
        window.location.href = "default_page.html";
      }
    }, 3000); // Redirect after 3 seconds
  </script>
</body>
</html>