Open Redirection Vulnerability.
A vulnerability, which no one talks about! Here I’m going to share what I have learnt about Open Redirection, This is not a hands on tutorial but you’ll take a lil bit of knowledge from here.
What is Redirection?
Redirection is a functionality of a website to send users to a different domain. Here “Open redirection” refers to a redirection which is open and can be identified by looking at URL address and also can be manipulated. Redirections are of two types server side(ex. Http location header in http response) and client side(ex. Html meta tags, DOM window.location).
• Not rewarding at all(as a bug bounty point of view).
• Mostly used with phishing.
• If used with other attacks open redirect allows attackers to distribute malware with malicious site or OAuth tokens.
How do Open Redirections work?
Considering following url as an example:
https://www.google.com/?redirect_to=https://www.gmail.com
In this URL the user wants to connect to google.com but it redirects user to gmail.com. It will send a response status code of 3xx (mostly redirects use 302) which tells the browser to direct at “gmail.com” and also the code informs the browser that send a GET request to the value of redirect_to(denoted in location header).
If google.com does not validate the redirection then this functionality can be exploited. The attacker just needs to change the redirect_to value.
https://www.google.com/?redirect_to=https://www.attacker.com
NOTE: When looking for this vulnerabilities keep an eye on the URL parameters that contain such names url=, next=, redirect= and so on. Or something u= ,r= etc.
NOTE : All this are parameter base attacks.
- Parameter based attacks also include HTML meta tags and JavaScript. HTML meta tags can tell browsers to refresh the page and make a get request on a different domain/url. For example, consider the following url that uses meta tag.
<meta http-equiv=”refresh” content=”0; url=https://www.google.com/">
The content tag has 2 attributes first says how much time should the browser use to refresh in this case, which is 0 sec and second where to go. This is done when the attacker the access to change the content.
2. Parameter based attacks also use JavaScript codes instead of html tags, where redirection is done by modifying window’s location property through DOM(document object model). DOM is an API for HTML and XML documents that allows developers to modify structures, style and content of a web page. The location property specifies where to redirect. This is possible only if the website is allowing to execute JavaScript. With one these scripts we can redirect browsers:-
window.location = https://www.google.com/
window.location.href = https://www.google.com
window.location.replace(https://www.google.com)
3. When we’re looking for a open redirect vulnerability we usually be monitoring our proxy history for a GET request sent to the site we’re testing that includes parameter specifying a URL redirect.
