If you are not familiar with the concept of Open Redirects and Open Forwards, we suggest that you review the article entitled “What Is An Open Redirect ?“.
Open Redirects are also known as Unvalidated Redirects, and that designation hints at the key to prevention: validation.
Avoiding Open Redirects
Strategies for avoiding and/or fixing Open Redirects include:
- Design around it: Unless there is a reason why URL information must be passed, avoid the problem entirely by implementing an alternative design.
- Validation: When a URL value is received by the application, it must be whitelist validated against the domain of possible legitimate values and rejected if it is not a member.
- Indirect References: In some cases, it may be possible to pass a (cryptographically strong) random value that represents the target URL and maintain a token:URL mapping on the server. Since URLs are never passed and the tokens are (practically) unguessable, the vulnerability is eliminated.
Although tangential to the topic, in all cases in which a redirect or forward will occur, the user’s permission to access that resource should be verified.
For additional information about detecting Open Redirects within a web-application, please see the article entitled “How To Test For Open Redirects“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.