Open-Redirects Uncovered: Real-World Bypass Techniques Revealed

Hey guys!
Today we will explore the Open-Redirect flaw, but with a more real-world approach, where most of the time it is necessary to come up with a strategy to bypass defense mechanisms, which are often poorly implemented and insecure (but stop a good part of the scripts kiddies).

In CTFs it is pretty common to find beginner-friendly very vulnerable sites. However, in real life it is difficult to find a website that is completely unprotected. A hacker’s ideal is to find loopholes in protection mechanisms against failures, which are usually due to carelessness or poor sanitation.

So following “cake recipes” and inferring that the application is not vulnerable because a basic payload was not enough to exploit a flaw does not mean that it is not present.

Open-Redirect is a flaw that allows attackers to take advantage of some redirect functionality, to redirect a user to an external website and carry out a phishing attack. It is also possible to combine it with other vulnerabilities, powering its impact. For our demonstration practices, we will use OWASP Juice Shop.

Any redirection functionality within an application presents a potential attack vector. In our case, within the sidebar (accessible via the hamburger menu), there’s a link to GitHub:

Upon right-clicking, the browser offers the option to “Copy Clean Link,” revealing the destination:

When subjected to a basic payload test, the application blocks:

This behavior suggests that the application likely employs URL whitelisting, evident in URLs like https://github.com/juice-shop/juice-shop. Attempting to circumvent this by removing the trailing /juice-shop from the URL proves futile.

Presumably, the application validates URLs based on whitelisting criteria, potentially by scrutinizing the URL’s termination. This hypothesis gains further credence when random characters are prepended to the URL. Consequently, if we append the allowed URL as a GET “parameter” to a malicious URL, redirection ensues:

Voila! Our Open-Redirect exploit is successfully executed.

Happy Hunting!