An “Open Redirect” (also known as an Unvalidated Redirect”) is a class of web-application vulnerability in which an attacker can cause a victim’s browser to visit a site of the attacker’s choosing.
Web-applications designed to pass URLs (references to other websites and content) from the client browser to the application server using HTTP request parameters or HTTP request headers, are at risk for Open Redirect exploitation unless they protect against it.
Open Redirect Example
Consider a web-application at which visitors might arrive from a variety of partner sites, and that later requires the visitor to be redirected back to a certain page of the referring site. Let’s assume that the destination page on the partner site differs from the originating page.
One design approach to implementing this requirement would be to pass a “destinationURL” as a parameter in the request that the application could remember and eventually use as the target of a “redirect” back to the browser when conditions warranted.
There is nothing wrong with this approach and it has been used extensively as a means to coordinate between different websites. However the application exhibits an “Open Redirect” vulnerability if the destinationURL can contain an arbitrary value.
If an attacker crafts a link that populates the destinationURL parameter with a malicious value (e.g. evil.com), at some point the application will redirect to it and becomes complicit in the attack. Sending this link to a victim uses the application as a springboard to get the user to a destination of the attacker’s choosing.
For additional insight into how to test for Open Redirects and Open Forwards, please see the article entitled: “How To Test For Open Redirects“.
For additional insight into how to prevent or fix Open Redirects and Open Forwards, please see the article entitled: “How To Prevent Open Redirects“.
Open Forwards
A variation on the Open Redirect vulnerability is one in which the application “forwards” to an internal (i.e. application controlled) page rather than redirecting the victim’s browser to an arbitrary site. That is, Open Forward typically uses the destinationURL as a reference to a page within the application. An Open Forward is less serious than an Open Redirect, and is actually a special case of the latter. Open Forwards can be a means to access restricted resources and thereby achieve privilege escalation.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.