EU Regulating InfoSec: How Detectify helps achieving NIS 2 and DORA compliance
**Disclaimer: The content of this blog post is for general information purposes only and is not legal advice. We are very passionate about cybersecurity rules and …
Unvalidated redirects and forwards, also referred to as Open Redirect, is featured on OWASP‘s list of the ten most common vulnerabilities.
OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their Top 10 list one by one in our OWASP Top 10 blog series.
Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.
Unvalidated redirects and forwards were ranked as uncommon both in 2010 and 2013 when OWASP graded vulnerabilities in their top ten list.
However, even if the prevalence of this vulnerability is considered low in general over the internet, one could not look at the resources or popularity a site has to determine if it is likely to be vulnerable. One of the companies that do not classify this as a vulnerability is Google, while Facebook, for example, does. It would therefore not be strange to find an unvalidated redirect on Google’s domain, while Facebook would pay a bug bounty for the same thing on their domain.
The potential danger of Unvalidated Redirects and Forwards is not to be considered as that serious. The most common use case are phishing attacks or others that also involve Social Engineering, which lowers the potential impact of the vulnerability.
It also happens that this is part of an chained attack, where it is only one in a chain of multiple vulnerabilities used. This type of attack is more advanced and therefore not as common.
In most cases, this vulnerability is very easy to exploit, which increases the likelihood of someone finding and abusing it.
There have, of course, been cases where it has been much harder to exploit, but as the impact is not that great, the time used to look for the vulnerability is limited. This means it is mainly the easier cases of Unvalidated Redirects and Forwards that are discovered and exploited.
There have not been any public attacks where this vulnerability has played a great part. It is possible that something like that has happened in the past, but as most serious uses of this vulnerability involve social engineering, companies are rarely that generous with reporting attacks.
We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Detectify is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable »
Let us assume there is a file (router.php) on the website responsible for internal redirects. A normal request would look something like this:
https://example.com/router.php?url=forum.php
The code for that script is the following:
<?php header(“Location: “.$_GET[“url”); die(); ?>
However, as there are no checks whether the URL really is internal or external an attacker would be able to conduct a URL like this as well:
https://example.com/router.php?url=https://phishing.com
There are a few possible ways to remediate this issue.
If none of the above is possible, force all redirects to a page where the user will have to click a button to confirm they are leaving the trusted site.
One common, but insufficient, remediation method is ensuring that the URL starts with:
/
An attacker could easily bypass that by just using
//
instead of:
https://
Watch the video:
OWASP
Top 10 2013: Unvalidated Redirects and Forwards
Unvalidated Redirects and Forwards Cheat Sheet
Detectify
Open Redirect Remediation Tips
**Disclaimer: The content of this blog post is for general information purposes only and is not legal advice. We are very passionate about cybersecurity rules and …
TLDR: This article details methods and tools (from DNS records and IP addresses to HTTP analysis and HTML content) that practitioners can use to classify …