If you are not already familiar with the concept of “Open Redirect” and “Open Forward”, we would suggest that you review “What Is An Open Redirect ?“.
Detecting Open Redirects
Manually detecting Open Redirect vulnerabilities involves making a careful examination of HTTP Requests, seeking inputs (parameters and headers) whose values are direct URL references to other resources within or external to the application. Note that such references may be partial, intended to be assembled into full URLs by the application, but it may also be the (easier) case in which full URLs are passed as inputs. Any such parameter is a candidate for testing as a potential Open Redirect vulnerability.
Using a web-proxy, each candidate parameter is then assigned a “sentinel” value representing an arbitrary site outside the purview of the application (e.g. google.com, fbi.gov, etc.). The appearance of the sentinel URL (in subsequent responses) OR the sudden appearance of the site specified by the sentinel URL is evidence of an Open Redirect vulnerability. Note that the former may not necessarily exploitable.
Testing for an Open Forward is as simple as changing the value of the legitimate target resource to a different page. Subsequent (unexpected) transfer to the modified page strongly suggests the presence of an Open Forward vulnerability, which should then be tested for access to restricted pages/resources.
Automated web-application security testing tools will typically test for Open Redirect and Open Forward vulnerabilities by including malicious URL strings in their fuzzing of parameters and reporting on redirects to the malicious pages.
For additional insight on how to prevent and fix Open Redirect vulnerabilities, please see the article entitled “How To Prevent Open Redirects“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.